copyright: make repository REUSE compliant

Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the

copyright: make repository REUSE compliant

Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the file
`.reuse/dep5`.

This commit also adds a Github workflow to check pull requests and adapts
copyright.pl to the changes.

Closes #8869

show more ...

mprintf: ignore clang non-literal format string

Closes #8740

mprintf: remove strlen calls on empty strings in dprintf_formatf

Turns out that in dprintf_formatf we did a strlen on empty strings, a
bit strange is how common this actually is, 24 alon

mprintf: remove strlen calls on empty strings in dprintf_formatf

Turns out that in dprintf_formatf we did a strlen on empty strings, a
bit strange is how common this actually is, 24 alone when doing a simple
GET from https://curl.se

Closes #8427

show more ...

misc: remove the final watcom references

Follow-up to bbf8cae44dedc495e6

We removed support for the watcom builds files back in September
2020. This removes all remaining watcom

misc: remove the final watcom references

Follow-up to bbf8cae44dedc495e6

We removed support for the watcom builds files back in September
2020. This removes all remaining watcom references and ifdefs.

Closes #8287

show more ...

checksrc: detect more kinds of NULL comparisons we avoid

Co-authored-by: Jay Satiro
Closes #8180

msnprintf: return number of printed characters excluding null byte

... even when the output is "capped" by the maximum length argument.

Clarified in the docs.

Closes #7361

tidy-up: make conditional checks more consistent

... remove '== NULL' and '!= 0'

Closes #6912

curl.se: new home

Closes #6172

checksrc: warn on space after exclamation mark

Closes #6034

dynbuf: make *addf() not require extra mallocs

... by introducing a printf() function that appends directly into a
dynbuf: Curl_dyn_vprintf(). This avoids the mandatory extra malloc so i

dynbuf: make *addf() not require extra mallocs

... by introducing a printf() function that appends directly into a
dynbuf: Curl_dyn_vprintf(). This avoids the mandatory extra malloc so if
the buffer is already big enough it can just printf directly into it.

Since this less-malloc version requires tthe use of a library internal
printf function, we only provide this version when building libcurl and
not for the dynbuf code that is used when building the curl tool.

Closes #5998

show more ...

checksrc: verify do-while and spaces between the braces

Updated mprintf.c to comply

Closes #5845

mprintf: Fix stack overflows

Stack overflows can occur with precisions for integers and floats.

Proof of concepts:
- curl_mprintf("%d, %.*1$d", 500, 1);
- curl_mprintf("%d,

mprintf: Fix stack overflows

Stack overflows can occur with precisions for integers and floats.

Proof of concepts:
- curl_mprintf("%d, %.*1$d", 500, 1);
- curl_mprintf("%d, %+0500.*1$f", 500, 1);

Ideally, compile with -fsanitize=address which makes this undefined
behavior a bit more defined for debug purposes.

The format strings are valid. The overflows occur due to invalid
arguments. If these arguments are variables with contents controlled
by an attacker, the function's stack can be corrupted.

Also see CVE-2016-9586 which partially fixed the float aspect.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

Closes https://github.com/curl/curl/pull/5722

show more ...

mprintf: Fix dollar string handling

Verify that specified parameters are in range. If parameters are too
large, fail early on and avoid out of boundary accesses.

Also do not rea

mprintf: Fix dollar string handling

Verify that specified parameters are in range. If parameters are too
large, fail early on and avoid out of boundary accesses.

Also do not read behind boundaries of illegal format strings.

These are defensive measures since it is expected that format strings
are well-formed. Format strings should not be modifiable by user
input due to possible generic format string attacks.

Closes https://github.com/curl/curl/pull/5722

show more ...

source cleanup: remove all custom typedef structs

- Stick to a single unified way to use structs
- Make checksrc complain on 'typedef struct {'
- Allow them in tests, public heade

source cleanup: remove all custom typedef structs

- Stick to a single unified way to use structs
- Make checksrc complain on 'typedef struct {'
- Allow them in tests, public headers and examples

- Let MD4_CTX, MD5_CTX, and SHA256_CTX typedefs remain as they actually
typedef different types/structs depending on build conditions.

Closes #5338

show more ...

dynbuf: introduce internal generic dynamic buffer functions

A common set of functions instead of many separate implementations for
creating buffers that can grow when appending data to t

dynbuf: introduce internal generic dynamic buffer functions

A common set of functions instead of many separate implementations for
creating buffers that can grow when appending data to them. Existing
functionality has been ported over.

In my early basic testing, the total number of allocations seem at
roughly the same amount as before, possibly a few less.

See docs/DYNBUF.md for a description of the API.

Closes #5300

show more ...

build: Disable Visual Studio warning "conditional expression is constant"

- Disable warning C4127 "conditional expression is constant" globally
in curl_setup.h for when building with M

build: Disable Visual Studio warning "conditional expression is constant"

- Disable warning C4127 "conditional expression is constant" globally
in curl_setup.h for when building with Microsoft's compiler.

This mainly affects building with the Visual Studio project files found
in the projects dir.

Prior to this change the cmake and winbuild build systems already
disabled 4127 globally for when building with Microsoft's compiler.
Also, 4127 was already disabled for all build systems in the limited
circumstance of the WHILE_FALSE macro which disabled the warning
specifically for while(0). This commit removes the WHILE_FALSE macro and
all other cruft in favor of disabling globally in curl_setup.

Background:

We have various macros that cause 0 or 1 to be evaluated, which would
cause warning C4127 in Visual Studio. For example this causes it:

#define Curl_resolver_asynch() 1

Full behavior is not clearly defined and inconsistent across versions.
However it is documented that since VS 2015 Update 3 Microsoft has
addressed this somewhat but not entirely, not warning on while(true) for
example.

Prior to this change some C4127 warnings occurred when I built with
Visual Studio using the generated projects in the projects dir.

Closes https://github.com/curl/curl/pull/4658

show more ...

copyrights: fix copyright year range

.. because checksrc's copyright year check stopped working.

Ref: https://github.com/curl/curl/pull/4547

Closes https://github.com/curl/

copyrights: fix copyright year range

.. because checksrc's copyright year check stopped working.

Ref: https://github.com/curl/curl/pull/4547

Closes https://github.com/curl/curl/pull/4549

show more ...

mprintf: avoid unsigned integer overflow warning

The overflow has no real world impact.
Just avoid it for "best practice".

Code change suggested by "The Infinnovation Team" and

mprintf: avoid unsigned integer overflow warning

The overflow has no real world impact.
Just avoid it for "best practice".

Code change suggested by "The Infinnovation Team" and Daniel Stenberg.
Closes #3184

show more ...

code style: remove wrong uses of multiple spaces

Closes #1878

code style: use spaces around pluses

code style: use spaces around equals signs

CURL_SIZEOF_LONG: removed, use only SIZEOF_LONG

system.h: remove all CURL_SIZEOF_* defines

... as they're not used externally and internally we check for the sizes
already in configure etc.

Closes #1767

assert: avoid, use DEBUGASSERT instead!

... as it does extra checks to actually work.

Reported-by: jonrumsey at github
Fixes #1504

lib: fix compiler warnings

Fix the following warnings when building the tests by using the correct
types:
cast from 'const char *' to 'void *' drops const qualifier
[-Wcast-qual]

lib: fix compiler warnings

Fix the following warnings when building the tests by using the correct
types:
cast from 'const char *' to 'void *' drops const qualifier
[-Wcast-qual]
implicit conversion changes signedness [-Wsign-conversion]

show more ...