libssh2: try sha2 algos for hostkey methods

As is supported by recent libssh2, but should just be ignored by older
versions.

Reported-by: norbertmm on github
Assisted-by: no

libssh2: try sha2 algos for hostkey methods

As is supported by recent libssh2, but should just be ignored by older
versions.

Reported-by: norbertmm on github
Assisted-by: norbertmm on github
Fixes #10143
Closes #10145

show more ...

typecheck: accept expressions for option/info parameters

As expressions can have side effects, evaluate only once.

To enable deprecation reporting only once, get rid of the __typeof

typecheck: accept expressions for option/info parameters

As expressions can have side effects, evaluate only once.

To enable deprecation reporting only once, get rid of the __typeof__
use to define the local temporary variable and use the target type
(CURLoption/CURLINFO). This also avoids multiple reports on type
conflicts (if some) by the curlcheck_* macros.

Note that CURLOPT_* and CURLINFO_* symbols may be deprecated, but not
their values: a curl_easy_setopt call with an integer constant as option
will never report a deprecation.

Reported-by: Thomas Klausner
Fixes #10148
Closes #10149

show more ...

tests: avoid use of sha1 in certificates

The SHA-1 algorithm is deprecated (particularly for security-sensitive
applications) in a variety of OS environments. This already affects
RH

tests: avoid use of sha1 in certificates

The SHA-1 algorithm is deprecated (particularly for security-sensitive
applications) in a variety of OS environments. This already affects
RHEL-9 and derivatives, which are not willing to use certificates using
that algorithm. The fix is to use sha256 instead, which is already used
for most of the other certificates in the test suite.

Fixes #10135

This gets rid of issues related to sha1 signatures.

Manual steps after "make clean-certs" and "make build-certs":

- Copy tests/certs/stunnel-sv.pem to tests/stunnel.pem
(make clean-certs does not remove the original tests/stunnel.pem)

- Copy tests/certs/Server-localhost-sv.pubkey-pinned into --pinnedpubkey
options of tests/data/test2041 and tests/data/test2087

Closes #10153

show more ...

cmake: fix the snprintf detection

I haven't had the time to check other configurations, but on my macOS
Ventura 13.1 with XCode 14.2 cmake does not find `snprintf`.

Solution: en

cmake: fix the snprintf detection

I haven't had the time to check other configurations, but on my macOS
Ventura 13.1 with XCode 14.2 cmake does not find `snprintf`.

Solution: ensure stdio.h is checked for definitions

Closes #10155

show more ...

http: remove the trace message "Mark bundle... multiuse"

The message "Mark bundle as not supporting multiuse" was added at commit
29364d93 when an http/2-related bug was fixed, and it ap

http: remove the trace message "Mark bundle... multiuse"

The message "Mark bundle as not supporting multiuse" was added at commit
29364d93 when an http/2-related bug was fixed, and it appears to be a
leftover trace message.

This message should be removed because:
* it conveys no information to the user
* it is enabled in the default build (--enable-verbose)
* it reads like a warning/unexpected condition
* it is equivalent to "Detected http proto < 2", which is
not a useful message.
* it is a time-wasting red-herring for anyone who encounters
it for the first time while investigating some other, real
problem.

This commit removes the trace message "Mark bundle as not
supporting multiuse"

Closes #10159

show more ...

url: fix build with `--disable-cookies`

Struct `UserDefined` has no member `cookielist` if
`CURL_DISABLE_COOKIES` is defined.

Follow-up to af5999a

Closes #10158

runtests: also tear down http2/http3 servers when https server is stopped

Closes #10114

tests: add 3 new HTTP/2 test cases, plus https: support for nghttpx

- a simple https get
- a simple https post
- a multi get of 4 requests and check that same connection was used

tests: add 3 new HTTP/2 test cases, plus https: support for nghttpx

- a simple https get
- a simple https post
- a multi get of 4 requests and check that same connection was used

Closes #10114

show more ...

urldata: remove unused struct fields, made more conditional

- source_quote, source_prequote and source_postquote have not been used since
5e0d9aea3; September 2006

- make seve

urldata: remove unused struct fields, made more conditional

- source_quote, source_prequote and source_postquote have not been used since
5e0d9aea3; September 2006

- make several fields conditional on proxy support

- make three quote struct fields conditional on FTP || SSH

- make 'mime_options' depend on MIME

- make trailer_* fields depend on HTTP

- change 'gssapi_delegation' from long to unsigned char

- make 'localportrange' unsigned short instead of int

- conn->trailer now depends on HTTP

Closes #10147

show more ...

urldata: make set.http200aliases conditional on HTTP being present

And make a few SSH-only fields depend on SSH

Closes #10140

md4: fix build with GnuTLS + OpenSSL v1

Reported-by: Esdras de Morais da Silva

Fixes #10110
Closes #10142

urldata: make 'ftp_create_missing_dirs' depend on FTP || SFTP

Closes #10139

misc: fix grammar and spelling

Closes #10137

urldata: move the cookefilelist to the 'set' struct

The cookiefile entries are set into the handle and should remain set for
the lifetime of the handle so that duplicating it also duplic

urldata: move the cookefilelist to the 'set' struct

The cookiefile entries are set into the handle and should remain set for
the lifetime of the handle so that duplicating it also duplicates the
list. Therefore, the struct field is moved from 'state' to 'set'.

Fixes #10133
Closes #10134

show more ...

strdup: name it Curl_strdup

It does not belong in the curlx_ name space as it is never used
externally.

Closes #10132

msh3: update to v0.5 Release

Closes #10125

workflows/linux.yml: merge 3 common packages

Closes #10071

docs: mention indirect effects of --insecure

Warn users that disabling certficate verification allows servers to
"pollute" curl with data it trusts.

Reported-by: Harry Sintonen

docs: mention indirect effects of --insecure

Warn users that disabling certficate verification allows servers to
"pollute" curl with data it trusts.

Reported-by: Harry Sintonen
Closes #10126

show more ...

SECURITY-PROCESS.md: document severity levels

Closes #10118

RELEASE_NOTES: synced

bumped version for new cycle

tool_operate: fix `CURLOPT_SOCKS5_GSSAPI_NEC` type

`CURLOPT_SOCKS5_GSSAPI_NEC` is a long, while `socks5_gssapi_nec` was
made a bool in commit 4ac64eadf60.

Closes https://github.

tool_operate: fix `CURLOPT_SOCKS5_GSSAPI_NEC` type

`CURLOPT_SOCKS5_GSSAPI_NEC` is a long, while `socks5_gssapi_nec` was
made a bool in commit 4ac64eadf60.

Closes https://github.com/curl/curl/pull/10124

show more ...

RELEASE-NOTES: synced

The curl 7.87.0 release

THANKS: 40 new contributors from 7.87.0

http: fix the ::1 comparison for IPv6 localhost for cookies

When checking if there is a "secure context", which it is if the
connection is to localhost even if the protocol is HTTP, the

http: fix the ::1 comparison for IPv6 localhost for cookies

When checking if there is a "secure context", which it is if the
connection is to localhost even if the protocol is HTTP, the comparison
for ::1 was done incorrectly and included brackets.

Reported-by: BratSinot on github

Fixes #10120
Closes #10121

show more ...

CI/spell: actions/checkout@v2 > actions/checkout@v3