strtok: use namespaced `strtok_r` macro instead of redefining it

krb5 defines `strtok_r` for Windows unconditionally in its public
header:
https://github.com/krb5/krb5/blob/dc5554394

strtok: use namespaced `strtok_r` macro instead of redefining it

krb5 defines `strtok_r` for Windows unconditionally in its public
header:
https://github.com/krb5/krb5/blob/dc5554394e5a4363b3e109623edbeb9ad6c18a62/src/include/win-mac.h#L214-L215
resulting in this warning:
```
lib\strtok.h(31,9): warning C4005: 'strtok_r': macro redefinition
C:\vcpkg\installed\x64-windows\include\win-mac.h(215,9):
see previous definition of 'strtok_r'
```

The krb5 macro collides with curl's internal definition, in case
the `strtok_r` function is undetected and falling back to a local
replacement.

Reported-by: Tal Regev
Bug: https://github.com/curl/curl/pull/15549#issuecomment-2468251761
Closes #15564

show more ...

cookie: treat cookie name case sensitively

Extend test 31 to verify

Reported-by: delogicsreal on github
Fixes #15492
Closes #15493

src/lib: remove redundant ternary operators

Closes #15435

cookie: overhaul and cleanup

- split the huge Curl_cookie_add() into several smaller static functions

- switch to using the common llist instead of custom linked list

- use

cookie: overhaul and cleanup

- split the huge Curl_cookie_add() into several smaller static functions

- switch to using the common llist instead of custom linked list

- use less memory for *getlist()

- use bitfields for flags in the Cookie struct

- avoid the copy for date parsing

- more consistent variable naming

Closes #15247

show more ...

lib/src: white space edits to comply better with code style

... as checksrc now finds and complains about these.

Closes #14921

lib, src, tests: added space around ternary expressions

Closes #14912

lib: use FMT_ as prefix instead of CURL_FORMAT_

For printf format defines used internally. Makes the code slighly
easier to read.

Closes #14764

cookie: add more debug tracing to set-cookie handling

Might help us see why test977 fails occasionally.

Closes #14705

code: language cleanup in comments

Based on the standards and guidelines we use for our documentation.

- expand contractions (they're => they are etc)
- host name = > hostname

code: language cleanup in comments

Based on the standards and guidelines we use for our documentation.

- expand contractions (they're => they are etc)
- host name = > hostname
- file name => filename
- user name = username
- man page => manpage
- run-time => runtime
- set-up => setup
- back-end => backend
- a HTTP => an HTTP
- Two spaces after a period => one space after period

Closes #14073

show more ...

lib: tidy up types and casts

Cherry-picked from #13489
Closes #13862

lib: silence warnings on comma misuse

Building curl with -Wcomma, I see warnings about "possible misuse of
comma operator here" and moving fields assignment out of the for() fixes
it

lib: silence warnings on comma misuse

Building curl with -Wcomma, I see warnings about "possible misuse of
comma operator here" and moving fields assignment out of the for() fixes
it.

Closes #13392

show more ...

cookie: if psl fails, reject the cookie

A libpsl install without data and no built-in database is now considered
bad enough to reject all cookies since they cannot be checked. It is

cookie: if psl fails, reject the cookie

A libpsl install without data and no built-in database is now considered
bad enough to reject all cookies since they cannot be checked. It is
somewhat of a user error, but still.

Reported-by: Dan Fandrich
Closes #13033

show more ...

lib: convert Curl_get_line to use dynbuf

Create the line in a dynbuf. Aborts the reading of the file on
errors. Avoids having to always allocate maximum amount from the
start. Avoids

lib: convert Curl_get_line to use dynbuf

Create the line in a dynbuf. Aborts the reading of the file on
errors. Avoids having to always allocate maximum amount from the
start. Avoids direct malloc.

Closes #12846

show more ...

build: enable missing OpenSSF-recommended warnings, with fixes

https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
as of 2023-11-29 [1]

build: enable missing OpenSSF-recommended warnings, with fixes

https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
as of 2023-11-29 [1].

Enable new recommended warnings (except `-Wsign-conversion`):

- enable `-Wformat=2` for clang (in both cmake and autotools).
- add `CURL_PRINTF()` internal attribute and mark functions accepting
printf arguments with it. This is a copy of existing
`CURL_TEMP_PRINTF()` but using `__printf__` to make it compatible
with redefinting the `printf` symbol:
https://gcc.gnu.org/onlinedocs/gcc-3.0.4/gcc_5.html#SEC94
- fix `CURL_PRINTF()` and existing `CURL_TEMP_PRINTF()` for
mingw-w64 and enable it on this platform.
- enable `-Wimplicit-fallthrough`.
- enable `-Wtrampolines`.
- add `-Wsign-conversion` commented with a FIXME.
- cmake: enable `-pedantic-errors` the way we do it with autotools.
Follow-up to d5c0351055d5709da8f3e16c91348092fdb481aa #2747
- lib/curl_trc.h: use `CURL_FORMAT()`, this also fixes it to enable format
checks. Previously it was always disabled due to the internal `printf`
macro.

Fix them:

- fix bug where an `set_ipv6_v6only()` call was missed in builds with
`--disable-verbose` / `CURL_DISABLE_VERBOSE_STRINGS=ON`.
- add internal `FALLTHROUGH()` macro.
- replace obsolete fall-through comments with `FALLTHROUGH()`.
- fix fallthrough markups: Delete redundant ones (showing up as
warnings in most cases). Add missing ones. Fix indentation.
- silence `-Wformat-nonliteral` warnings with llvm/clang.
- fix one `-Wformat-nonliteral` warning.
- fix new `-Wformat` and `-Wformat-security` warnings.
- fix `CURL_FORMAT_SOCKET_T` value for mingw-w64. Also move its
definition to `lib/curl_setup.h` allowing use in `tests/server`.
- lib: fix two wrongly passed string arguments in log outputs.
Co-authored-by: Jay Satiro
- fix new `-Wformat` warnings on mingw-w64.

[1] https://github.com/ossf/wg-best-practices-os-developers/blob/56c0fde3895bfc55c8a973ef49a2572c507b2ae1/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C%2B%2B.md

Closes #12489

show more ...

cookie: avoid fopen with empty file name

Closes #12514

lib: rename Curl_strndup to Curl_memdup0 to avoid misunderstanding

Since the copy does not stop at a null byte, let's not call it anything
that makes you think it works like the common s

lib: rename Curl_strndup to Curl_memdup0 to avoid misunderstanding

Since the copy does not stop at a null byte, let's not call it anything
that makes you think it works like the common strndup() function.

Based on feedback from Jay Satiro, Stefan Eissing and Patrick Monnerat

Closes #12490

show more ...

lib: strndup/memdup instead of malloc, memcpy and null-terminate

- bufref: use strndup
- cookie: use strndup
- formdata: use strndup
- ftp: use strndup
- gtls: use aprin

lib: strndup/memdup instead of malloc, memcpy and null-terminate

- bufref: use strndup
- cookie: use strndup
- formdata: use strndup
- ftp: use strndup
- gtls: use aprintf instead of malloc + strcpy * 2
- http: use strndup
- mbedtls: use strndup
- md4: use memdup
- ntlm: use memdup
- ntlm_sspi: use strndup
- pingpong: use memdup
- rtsp: use strndup instead of malloc, memcpy and null-terminate
- sectransp: use strndup
- socks_gssapi.c: use memdup
- vtls: use dynbuf instead of malloc, snprintf and memcpy
- vtls: use strdup instead of malloc + memcpy
- wolfssh: use strndup

Closes #12453

show more ...

cookie: lowercase the domain names before PSL checks

Reported-by: Harry Sintonen

Closes #12387

urldata: move cookielist from UserDefined to UrlState

1. Because the value is not strictly set with a setopt option.

2. Because otherwise when duping a handle when all the set.* fie

urldata: move cookielist from UserDefined to UrlState

1. Because the value is not strictly set with a setopt option.

2. Because otherwise when duping a handle when all the set.* fields are
first copied and an error happens (think out of memory mid-function),
the function would easily free the list *before* it was deep-copied,
which could lead to a double-free.

Closes #12323

show more ...

misc: fix -Walloc-size warnings

GCC 14 introduces a new -Walloc-size included in -Wextra which gives:

```
src/tool_operate.c: In function ‘add_per_transfer’:
src/tool_operat

misc: fix -Walloc-size warnings

GCC 14 introduces a new -Walloc-size included in -Wextra which gives:

```
src/tool_operate.c: In function ‘add_per_transfer’:
src/tool_operate.c:213:5: warning: allocation of insufficient size ‘1’ for type ‘struct per_transfer’ with size ‘480’ [-Walloc-size]
213 | p = calloc(sizeof(struct per_transfer), 1);
| ^
src/var.c: In function ‘addvariable’:
src/var.c:361:5: warning: allocation of insufficient size ‘1’ for type ‘struct var’ with size ‘32’ [-Walloc-size]
361 | p = calloc(sizeof(struct var), 1);
| ^
```

The calloc prototype is:
```
void *calloc(size_t nmemb, size_t size);
```

So, just swap the number of members and size arguments to match the
prototype, as we're initialising 1 struct of size `sizeof(struct
...)`. GCC then sees we're not doing anything wrong.

Closes #12292

show more ...

lib: add and use Curl_strndup()

The Curl_strndup() function is similar to memdup(), but copies 'n' bytes
then adds a terminating null byte ('\0').

Closes #12251

cookie: set ->running in cookie_init even if data is NULL

This is a regression introduced in b1b326ec500 (shipped in curl 8.1.0)

Test 3103 verifies.

Fixes #11875
Report

cookie: set ->running in cookie_init even if data is NULL

This is a regression introduced in b1b326ec500 (shipped in curl 8.1.0)

Test 3103 verifies.

Fixes #11875
Reported-by: wangp on github
Closes #11876

show more ...

cookie: reduce variable scope, add const

cookie: do not store the expire or max-age strings

Convert it to an expire time at once and save memory.

Closes #11862

cookie: remove unnecessary struct fields

Plus: reduce the hash table size from 256 to 63. It seems unlikely to
make much of a speed difference for most use cases but saves 1.5KB of
d

cookie: remove unnecessary struct fields

Plus: reduce the hash table size from 256 to 63. It seems unlikely to
make much of a speed difference for most use cases but saves 1.5KB of
data per instance.

Closes #11862

show more ...