metalink: remove

Warning: this will make existing curl command lines that use metalink to
stop working.

Reasons for removal:

1. We've found several security problems an

metalink: remove

Warning: this will make existing curl command lines that use metalink to
stop working.

Reasons for removal:

1. We've found several security problems and issues involving the
metalink support in curl. The issues are not detailed here. When
working on those, it become apparent to the team that several of the
problems are due to the system design, metalink library API and what
the metalink RFC says. They are very hard to fix on the curl side
only.

2. The metalink usage with curl was only very briefly documented and was
not following the "normal" curl usage pattern in several ways, making
it surprising and non-intuitive which could lead to further security
issues.

3. The metalink library was last updated 6 years ago and wasn't so
active the years before that either. An unmaintained library means
there's a security problem waiting to happen. This is probably reason
enough.

4. Metalink requires an XML parsing library, which is complex code (even
the smaller alternatives) and to this day often gets security
updates.

5. Metalink is not a widely used curl feature. In the 2020 curl user
survey, only 1.4% of the responders said that they'd are using it. In
2021 that number was 1.2%. Searching the web also show very few
traces of it being used, even with other tools.

6. The torrent format and associated technology clearly won for
downloading large files from multiple sources in parallel.

Cloes #7176

show more ...

docs/INSTALL: remove mentions of configure --with-darwin-ssl

... as it isn't supported since a while back.

Make configure fail with a warning if used.

Reported-by: Vadim Gr

docs/INSTALL: remove mentions of configure --with-darwin-ssl

... as it isn't supported since a while back.

Make configure fail with a warning if used.

Reported-by: Vadim Grinshpun
Bug: https://curl.se/mail/lib-2021-06/0008.html
Closes #7200

show more ...

RELEASE-NOTES: synced

cmake: Avoid leaking absolute paths into exported config

The `find_libarary` command resolves the library or framework
into an absolute path. In case of system frameworks which are
l

cmake: Avoid leaking absolute paths into exported config

The `find_libarary` command resolves the library or framework
into an absolute path. In case of system frameworks which are
located within an Xcode-provided SDK this results in the Xcode
path and SDK version being part of the library path.

Because those library paths end up in the exported CMake config
importing curl will fail once the Xcode location or SDK version
changes:

```cmake
set_target_properties(CURL::libcurl PROPERTIES
INTERFACE_INCLUDE_DIRECTORIES "${_IMPORT_PREFIX}/include"
INTERFACE_LINK_LIBRARIES "lber;ldap;/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX11.3.sdk/System/Library/Frameworks/SystemConfiguration.framework;OpenSSL::SSL;OpenSSL::Crypto;ZLIB::ZLIB"
)
```

A work-around is to link against system-level frameworks with
`-framework XYZ`. In case of `SystemConfiguration` we might be able
to omit the lookup-check because we could assume the framework is
always present.

Closes #7152

show more ...

http2_connisdead: handle trailing GOAWAY better

When checking the connection the input processing returns error
immediately, we now consider that a dead connnection.

Bug: https:

http2_connisdead: handle trailing GOAWAY better

When checking the connection the input processing returns error
immediately, we now consider that a dead connnection.

Bug: https://curl.se/mail/lib-2021-06/0001.html
Closes #7192

show more ...

ares: always store IPv6 addresses first

Trying dual-stack on some embedded platform, I noticed that quite
frequently (20%) libCurl starts from IPv4 regardless the Happy Eyeballs
time

ares: always store IPv6 addresses first

Trying dual-stack on some embedded platform, I noticed that quite
frequently (20%) libCurl starts from IPv4 regardless the Happy Eyeballs
timeout value. After debugging this issue, I noticed that this happens
if c-ares resolver response for IPv6 family comes before IPv4 (which was
randomly happening in my tests).

In such cases, because libCurl puts the last resolver response on top of
the address list, when IPv4 resolver response comes after IPv6 one - the
IPv4 family starts the connection phase instead of IPv6 family.

The solution for this issue is to always put IPv6 addresses on top of
the address list, regardless the order of resolver responses.

Bug: https://curl.se/mail/lib-2021-06/0003.html

Closes #7188

show more ...

Revert "Revert "socketpair: fix potential hangs""

This reverts commit 3e70c3430a370a31eff2c1d8fea29edaca8f1127.

Thus brings back the change from #7144 as was originally landed in

Revert "Revert "socketpair: fix potential hangs""

This reverts commit 3e70c3430a370a31eff2c1d8fea29edaca8f1127.

Thus brings back the change from #7144 as was originally landed in
c769d1eab4de8b

Closes #7144 (again)

show more ...

schannel: move code out of SChannel_connect_step1

Reviewed-by: Marc Hoersken
Closes #7168

tests/data/Makefile.inc: error: trailing backslash on last line

Follow-up to d8dcb399b8009d

TODO: Support rate-limiting for MQTT

warnless: simplify type size handling

By using sizeof(T), existing defines and relying on the compiler to
define the required signed/unsigned mask.

Closes #7181

[Win32] Fix for USE_WATT32

My Watt-32 tcp/ip stack works on Windows but it does not have `WSAIoctl()`

url: bad CURLOPT_CONNECT_TO syntax now returns error

Added test 3020 to verify

Closes #7183

github: remove the cmake macOS gcc-8 jobs

They're too similar to the gcc-9 ones to be useful (and seems to not
work anymore).

Closes #7187

test269: disable for hyper

--ignore-content-length / CURLOPT_IGNORE_CONTENT_LENGTH doesn't work
with hyper.

Closes #7184

runtests: enable 'hyper mode' only for HTTP tests

The 'hyper mode' makes line-ending checks work in the test suite for
when hyper is used. Now it also requires that HTTP or HTTPS are

runtests: enable 'hyper mode' only for HTTP tests

The 'hyper mode' makes line-ending checks work in the test suite for
when hyper is used. Now it also requires that HTTP or HTTPS are
mentioned as keywords to be enabled so that it doesn't wrongly adjusts
tests for other protocols.

This makes test 271 (TFTP) work again in hyper enabled builds.

Closes #7185

show more ...

hostip: bad CURLOPT_RESOLVE syntax now returns error

Added test 3019
Fixes #7170
Closes #7174

cookies: fix typo and expand comment

Fix a typo in the sorting comment, and while in there elaborate slightly
on why creationtime can be used as a tiebreaker.

cookies: remove unused header

Commit 1c1d9f1affbd3367bcb24062e261d0ea5d185e3a removed the last use
for the inet_pton.h headerfile, this removes the inclusion of the
header.

cookies: remove unused header

Commit 1c1d9f1affbd3367bcb24062e261d0ea5d185e3a removed the last use
for the inet_pton.h headerfile, this removes the inclusion of the
header.

Closes: #7182
Reviewed-by: Daniel Stenberg <daniel@haxx.se>

show more ...

Revert "socketpair: fix potential hangs"

This reverts commit c769d1eab4de8b9f1bd84d992c63692fdc43c5be.

See #7144 for details

socketpair: fix potential hangs

Fixes potential hang in accept by using select + non-blocking accept.

Fixes potential hang in peer check by replacing the send/recv check with
a

socketpair: fix potential hangs

Fixes potential hang in accept by using select + non-blocking accept.

Fixes potential hang in peer check by replacing the send/recv check with
a getsockname/getpeername check.

Adds length check for returned sockaddr data.

Closes #7144

show more ...

runtests: parse data/Makefile.inc instead of using make

The warning about missing entries in that file then doesn't require that
the Makefile has been regenerated which was confusing.

runtests: parse data/Makefile.inc instead of using make

The warning about missing entries in that file then doesn't require that
the Makefile has been regenerated which was confusing.

The scan for the test num is a little more error prone than before
(since now it doesn't actually verify that it is legitimate Makefile
syntax), but I think it is good enough.

Closes #7177

show more ...

filecheck: quietly remove test-place/*~

Closes #7179

CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax

For options that pass in lists or strings that are subsequently parsed
and must be correct. This broadens the scope for

CURLE_SETOPT_OPTION_SYNTAX: new error name for wrong setopt syntax

For options that pass in lists or strings that are subsequently parsed
and must be correct. This broadens the scope for the option previously
known as CURLE_TELNET_OPTION_SYNTAX but the old name is of course still
provided as a #define for existing applications.

Closes #7175

show more ...

tests: fix Accept-Encoding strips to work with Hyper builds

The previous strip also removed the CR which turned problematic.

valgrind.supp: add zstd suppression using hyper

tests: fix Accept-Encoding strips to work with Hyper builds

The previous strip also removed the CR which turned problematic.

valgrind.supp: add zstd suppression using hyper

Reported-and-analyzed-by: Kevin Burke
Fixes #7169
Closes #7171

show more ...