#
3829759b |
| 08-Dec-2023 |
Viktor Szakats |
build: enable missing OpenSSF-recommended warnings, with fixes https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html as of 2023-11-29 [1]
build: enable missing OpenSSF-recommended warnings, with fixes https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html as of 2023-11-29 [1]. Enable new recommended warnings (except `-Wsign-conversion`): - enable `-Wformat=2` for clang (in both cmake and autotools). - add `CURL_PRINTF()` internal attribute and mark functions accepting printf arguments with it. This is a copy of existing `CURL_TEMP_PRINTF()` but using `__printf__` to make it compatible with redefinting the `printf` symbol: https://gcc.gnu.org/onlinedocs/gcc-3.0.4/gcc_5.html#SEC94 - fix `CURL_PRINTF()` and existing `CURL_TEMP_PRINTF()` for mingw-w64 and enable it on this platform. - enable `-Wimplicit-fallthrough`. - enable `-Wtrampolines`. - add `-Wsign-conversion` commented with a FIXME. - cmake: enable `-pedantic-errors` the way we do it with autotools. Follow-up to d5c0351055d5709da8f3e16c91348092fdb481aa #2747 - lib/curl_trc.h: use `CURL_FORMAT()`, this also fixes it to enable format checks. Previously it was always disabled due to the internal `printf` macro. Fix them: - fix bug where an `set_ipv6_v6only()` call was missed in builds with `--disable-verbose` / `CURL_DISABLE_VERBOSE_STRINGS=ON`. - add internal `FALLTHROUGH()` macro. - replace obsolete fall-through comments with `FALLTHROUGH()`. - fix fallthrough markups: Delete redundant ones (showing up as warnings in most cases). Add missing ones. Fix indentation. - silence `-Wformat-nonliteral` warnings with llvm/clang. - fix one `-Wformat-nonliteral` warning. - fix new `-Wformat` and `-Wformat-security` warnings. - fix `CURL_FORMAT_SOCKET_T` value for mingw-w64. Also move its definition to `lib/curl_setup.h` allowing use in `tests/server`. - lib: fix two wrongly passed string arguments in log outputs. Co-authored-by: Jay Satiro - fix new `-Wformat` warnings on mingw-w64. [1] https://github.com/ossf/wg-best-practices-os-developers/blob/56c0fde3895bfc55c8a973ef49a2572c507b2ae1/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C%2B%2B.md Closes #12489
show more ...
|
#
8706b680 |
| 13-Dec-2023 |
Stefan Eissing |
lib: eliminate `conn->cselect_bits` - use `data->state.dselect_bits` everywhere instead - remove `bool *comeback` parameter as non-zero `data->state.dselect_bits` will indicate tha
lib: eliminate `conn->cselect_bits` - use `data->state.dselect_bits` everywhere instead - remove `bool *comeback` parameter as non-zero `data->state.dselect_bits` will indicate that IO is incomplete. Closes #12512
show more ...
|
#
84338c4d |
| 15-Nov-2023 |
Viktor Szakats |
build: add more picky warnings and fix them Enable more picky compiler warnings. I've found these options in the nghttp3 project when implementing the CMake quick picky warning funct
build: add more picky warnings and fix them Enable more picky compiler warnings. I've found these options in the nghttp3 project when implementing the CMake quick picky warning functionality for it [1]. `-Wunused-macros` was too noisy to keep around, but fixed a few issues it revealed while testing. - autotools: reflect the more precisely-versioned clang warnings. Follow-up to 033f8e2a08eb1d3102f08c4d8c8e85470f8b460e #12324 - autotools: sync between clang and gcc the way we set `no-multichar`. - autotools: avoid setting `-Wstrict-aliasing=3` twice. - autotools: disable `-Wmissing-noreturn` for MSYS gcc targets [2]. It triggers in libtool-generated stub code. - lib/timeval: delete a redundant `!MSDOS` guard from a `WIN32` branch. - lib/curl_setup.h: delete duplicate declaration for `fileno`. Added in initial commit ae1912cb0d494b48d514d937826c9fe83ec96c4d (1999-12-29). This suggests this may not be needed anymore, but if it does, we may restore this for those specific (non-Windows) systems. - lib: delete unused macro `FTP_BUFFER_ALLOCSIZE` since c1d6fe2aaa5a26e49a69a4f2495b3cc7a24d9394. - lib: delete unused macro `isxdigit_ascii` since f65f750742068f579f4ee6d8539ed9d5f0afcb85. - lib/mqtt: delete unused macro `MQTT_HEADER_LEN`. - lib/multi: delete unused macro `SH_READ`/`SH_WRITE`. - lib/hostip: add `noreturn` function attribute via new `CURL_NORETURN` macro. - lib/mprintf: delete duplicate declaration for `Curl_dyn_vprintf`. - lib/rand: fix `-Wunreachable-code` and related fallouts [3]. - lib/setopt: fix `-Wunreachable-code-break`. - lib/system_win32 and lib/timeval: fix double declarations for `Curl_freq` and `Curl_isVistaOrGreater` in CMake UNITY mode [4]. - lib/warnless: fix double declarations in CMake UNITY mode [5]. This was due to force-disabling the header guard of `warnless.h` to to reapply it to source code coming after `warnless.c` in UNITY builds. This reapplied declarations too, causing the warnings. Solved by adding a header guard for the lines that actually need to be reapplied. - lib/vauth/digest: fix `-Wunreachable-code-break` [6]. - lib/vssh/libssh2: fix `-Wunreachable-code-break` and delete redundant block. - lib/vtls/sectransp: fix `-Wunreachable-code-break` [7]. - lib/vtls/sectransp: suppress `-Wunreachable-code`. Detected in `else` branches of dynamic feature checks, with results known at compile-time, e.g. ```c if(SecCertificateCopySubjectSummary) /* -> true */ ``` Likely fixable as a separate micro-project, but given SecureTransport is deprecated anyway, let's just silence these locally. - src/tool_help: delete duplicate declaration for `helptext`. - src/tool_xattr: fix `-Wunreachable-code`. - tests: delete duplicate declaration for `unitfail` [8]. - tests: delete duplicate declaration for `strncasecompare`. - tests/libtest: delete duplicate declaration for `gethostname`. Originally added in 687df5c8c39c370a59999b9afc0917d808d978b7 (2010-08-02). Got complicated later: c49e9683b85ba9d12cbb6eebc4ab2c8dba68fbdc If there are still systems around with warnings, we may restore the prototype, but limited for those systems. - tests/lib2305: delete duplicate declaration for `libtest_debug_config`. - tests/h2-download: fix `-Wunreachable-code-break`. [1] https://github.com/ngtcp2/nghttp3/blob/a70edb08e954d690e8fb2c1df999b5a056f8bf9f/cmake/PickyWarningsC.cmake [2] https://ci.appveyor.com/project/curlorg/curl/builds/48553586/job/3qkgjauiqla5fj45?fullLog=true#L1675 [3] https://github.com/curl/curl/actions/runs/6880886309/job/18716044703?pr=12331#step:7:72 https://github.com/curl/curl/actions/runs/6883016087/job/18722707368?pr=12331#step:7:109 [4] https://ci.appveyor.com/project/curlorg/curl/builds/48555101/job/9g15qkrriklpf1ut#L204 [5] https://ci.appveyor.com/project/curlorg/curl/builds/48555101/job/9g15qkrriklpf1ut#L218 [6] https://github.com/curl/curl/actions/runs/6880886309/job/18716042927?pr=12331#step:7:290 [7] https://github.com/curl/curl/actions/runs/6891484996/job/18746659406?pr=12331#step:9:1193 [8] https://github.com/curl/curl/actions/runs/6882803986/job/18722082562?pr=12331#step:33:1870 Closes #12331
show more ...
|
#
413a0fed |
| 16-Nov-2023 |
Viktor Szakats |
autotools: stop setting `-std=gnu89` with `--enable-warnings` Do not alter the C standard when building with `--enable-warnings` when building with gcc. On one hand this alters
autotools: stop setting `-std=gnu89` with `--enable-warnings` Do not alter the C standard when building with `--enable-warnings` when building with gcc. On one hand this alters warning results compared to a default build. On the other, it may produce different binaries, which is unexpected. Also fix new warnings that appeared after removing `-std=gnu89`: - include: fix public curl headers to use the correct printf mask for `CURL_FORMAT_CURL_OFF_T` and `CURL_FORMAT_CURL_OFF_TU` with mingw-w64 and Visual Studio 2013 and newer. This fixes the printf mask warnings in examples and tests. E.g. [1] - conncache: fix printf format string [2]. - http2: fix potential null pointer dereference [3]. (seen on Slackware with gcc 11.) - libssh: fix printf format string in SFTP code [4]. Also make MSVC builds compatible with old CRT versions. - libssh2: fix printf format string in SFTP code for MSVC. Applying the same fix as for libssh above. - unit1395: fix `argument is null` and related issues [5]: - stop calling `strcmp()` with NULL to avoid undefined behaviour. - fix checking results if some of them were NULL. - do not pass NULL to printf `%s`. - ci: keep a build job with `-std=gnu89` to continue testing for C89-compliance. We can apply this to other gcc jobs as needed. Ref: b23ce2cee7329bbf425f18b49973b7a5f23dfcb4 (2022-09-23) #9542 [1] https://dev.azure.com/daniel0244/curl/_build/results?buildId=18581&view=logs&jobId=ccf9cc6d-2ef1-5cf2-2c09-30f0c14f923b [2] https://github.com/curl/curl/actions/runs/6896854263/job/18763831142?pr=12346#step:6:67 [3] https://github.com/curl/curl/actions/runs/6896854253/job/18763839238?pr=12346#step:30:214 [4] https://github.com/curl/curl/actions/runs/6896854253/job/18763838007?pr=12346#step:29:895 [5] https://github.com/curl/curl/actions/runs/6896854253/job/18763836775?pr=12346#step:33:1689 Closes #12346
show more ...
|
#
ad051e1c |
| 23-Oct-2023 |
Stefan Eissing |
lib: client writer, part 2, accounting + logging This PR has these changes: Renaming of unencode_* to cwriter, e.g. client writers - documentation of sendf.h functions - mov
lib: client writer, part 2, accounting + logging This PR has these changes: Renaming of unencode_* to cwriter, e.g. client writers - documentation of sendf.h functions - move max decode stack checks back to content_encoding.c - define writer phase which was used as order before - introduce phases for monitoring inbetween decode phases - offering default implementations for init/write/close Add type paramter to client writer's do_write() - always pass all writes through the writer stack - writers who only care about BODY data will pass other writes unchanged add RAW and PROTOCOL client writers - RAW used for Curl_debug() logging of CURLINFO_DATA_IN - PROTOCOL used for updates to data->req.bytecount, max_filesize checks and Curl_pgrsSetDownloadCounter() - remove all updates of data->req.bytecount and calls to Curl_pgrsSetDownloadCounter() and Curl_debug() from other code - adjust test457 expected output to no longer see the excess write Closes #12184
show more ...
|
#
3b6d18bb |
| 03-Oct-2023 |
Viktor Szakats |
spelling: fix codespell 2.2.6 typos Closes #12019
|
#
80fc040e |
| 18-Sep-2023 |
Jay Satiro |
libssh2: fix error message on failed pubkey-from-file - If libssh2_userauth_publickey_fromfile_ex returns -1 then show error message "SSH public key authentication failed: Reason unkno
libssh2: fix error message on failed pubkey-from-file - If libssh2_userauth_publickey_fromfile_ex returns -1 then show error message "SSH public key authentication failed: Reason unknown (-1)". When libssh2_userauth_publickey_fromfile_ex returns -1 it does so as a generic error and therefore doesn't set an error message. AFAICT that is not documented behavior. Prior to this change libcurl retrieved the last set error message which would be from a previous function failing. That resulted in misleading auth failed error messages in verbose mode. Bug: https://github.com/curl/curl/issues/11837#issue-1891827355 Reported-by: consulion@users.noreply.github.com Closes https://github.com/curl/curl/pull/11881
show more ...
|
#
5e2beb33 |
| 23-Aug-2023 |
Daniel Stenberg |
spelling: use 'reuse' not 're-use' in code and elsewhere Unify the spelling as both versions were previously used intermittently Closes #11717
|
#
e12b39e1 |
| 03-Aug-2023 |
Stefan Eissing |
trace: make tracing available in non-debug builds Add --trace-config to curl Add curl_global_trace() to libcurl Closes #11421
|
#
00f8f9c2 |
| 30-Jul-2023 |
Viktor Szakats |
cmake: cache more config and delete unused ones - cache more Windows config results for faster initialization. - delete unused config macros `HAVE_SYS_UTSNAME_H`, `HAVE_SSL_H`.
cmake: cache more config and delete unused ones - cache more Windows config results for faster initialization. - delete unused config macros `HAVE_SYS_UTSNAME_H`, `HAVE_SSL_H`. - delete dead references to `sys/utsname.h`. Closes #11551
show more ...
|
#
93df7134 |
| 02-Jun-2023 |
Daniel Stenberg |
libssh2: provide error message when setting host key type fails Ref: https://curl.se/mail/archive-2023-06/0001.html Closes #11240
|
#
10d84043 |
| 01-Jun-2023 |
Daniel Stenberg |
libssh2: use custom memory functions Because of how libssh2_userauth_keyboard_interactive_ex() works: the libcurl callback allocates memory that is later free()d by libssh2, we must
libssh2: use custom memory functions Because of how libssh2_userauth_keyboard_interactive_ex() works: the libcurl callback allocates memory that is later free()d by libssh2, we must set the custom memory functions. Reverts 8b5f100db388ee60118c08aa28 Ref: https://github.com/libssh2/libssh2/issues/1078 Closes #11235
show more ...
|
#
e915b690 |
| 26-Apr-2023 |
Daniel Silverstone |
ssh: Add support for libssh2 read timeout Hook the new (1.11.0 or newer) libssh2 support for setting a read timeout into the SERVER_RESPONSE_TIMEOUT option. With this done, clients can
ssh: Add support for libssh2 read timeout Hook the new (1.11.0 or newer) libssh2 support for setting a read timeout into the SERVER_RESPONSE_TIMEOUT option. With this done, clients can use the standard curl response timeout setting to also control the time that libssh2 will wait for packets from a slow server. This is necessary to enable use of very slow SFTP servers. Signed-off-by: Daniel Silverstone <daniel.silverstone@codethink.co.uk> Closes #10965
show more ...
|
#
8e21b1a0 |
| 08-May-2023 |
Daniel Stenberg |
libssh2: free fingerprint better Reported-by: Wei Chong Tan Closes #11088
|
#
21575b26 |
| 25-Apr-2023 |
Jay Satiro |
libssh2: fix crash in keyboard callback - Always set the libssh2 'abstract' user-pointer to the libcurl easy handle associated with the ssh session, so it is always passed to the
libssh2: fix crash in keyboard callback - Always set the libssh2 'abstract' user-pointer to the libcurl easy handle associated with the ssh session, so it is always passed to the ssh keyboard callback. Prior to this change and since 8b5f100 (precedes curl 8.0.0), if libcurl was built without CURL_DEBUG then it could crash during the ssh auth phase due to a null dereference in the ssh keyboard callback. Reported-by: Andreas Falkenhahn Fixes https://github.com/curl/curl/pull/11024 Closes https://github.com/curl/curl/pull/11026
show more ...
|
#
7815647d |
| 25-Apr-2023 |
Daniel Stenberg |
lib: unify the upload/method handling By making sure we set state.upload based on the set.method value and not independently as set.upload, we reduce confusion and mixup risks, both
lib: unify the upload/method handling By making sure we set state.upload based on the set.method value and not independently as set.upload, we reduce confusion and mixup risks, both internally and externally. Closes #11017
show more ...
|
#
d2d0e600 |
| 16-Mar-2023 |
Daniel Stenberg |
libssh2: remove unused variable from libssh2's struct Closes #10777
|
#
8b5f100d |
| 09-Mar-2023 |
Daniel Stenberg |
libssh2: only set the memory callbacks when debugging This makes us debug libssh2 less and libcurl more when for example running torture tests that otherwise will spend a lot of time in
libssh2: only set the memory callbacks when debugging This makes us debug libssh2 less and libcurl more when for example running torture tests that otherwise will spend a lot of time in libssh2 functions. We leave libssh2 to test libssh2. Closes #10721
show more ...
|
#
2bc1d775 |
| 02-Jan-2023 |
Daniel Stenberg |
copyright: update all copyright lines and remove year ranges - they are mostly pointless in all major jurisdictions - many big corporations and projects already don't use them - save
copyright: update all copyright lines and remove year ranges - they are mostly pointless in all major jurisdictions - many big corporations and projects already don't use them - saves us from pointless churn - git keeps history for us - the year range is kept in COPYING checksrc is updated to allow non-year using copyright statements Closes #10205
show more ...
|
#
71b7e016 |
| 30-Dec-2022 |
Stefan Eissing |
lib: connect/h2/h3 refactor Refactoring of connection setup and happy eyeballing. Move nghttp2. ngtcp2, quiche and msh3 into connection filters. - eyeballing cfilter that uses
lib: connect/h2/h3 refactor Refactoring of connection setup and happy eyeballing. Move nghttp2. ngtcp2, quiche and msh3 into connection filters. - eyeballing cfilter that uses sub-filters for performing parallel connects - socket cfilter for all transport types, including QUIC - QUIC implementations in cfilter, can now participate in eyeballing - connection setup is more dynamic in order to adapt to what filter did really connect. Relevant to see if a SSL filter needs to be added or if SSL has already been provided - HTTP/3 test cases similar to HTTP/2 - multiuse of parallel transfers for HTTP/3, tested for ngtcp2 and quiche - Fix for data attach/detach in VTLS filters that could lead to crashes during parallel transfers. - Eliminating setup() methods in cfilters, no longer needed. - Improving Curl_conn_is_alive() to replace Curl_connalive() and integrated ssl alive checks into cfilter. - Adding CF_CNTRL_CONN_INFO_UPDATE to tell filters to update connection into and persist it at the easy handle. - Several more cfilter related cleanups and moves: - stream_weigth and dependency info is now wrapped in struct Curl_data_priority - Curl_data_priority members depend is available in HTTP2|HTTP3 - Curl_data_priority members depend on NGHTTP2 support - handling init/reset/cleanup of priority part of url.c - data->state.priority same struct, but shallow copy for compares only - PROTOPT_STREAM has been removed - Curl_conn_is_mulitplex() now available to check on capability - Adding query method to connection filters. - ngtcp2+quiche: implementing query for max concurrent transfers. - Adding is_alive and keep_alive cfilter methods. Adding DATA_SETUP event. - setting keepalive timestamp on connect - DATA_SETUP is called after the connection has been completely setup (but may not connected yet) to allow filters to initialize data members they use. - there is no socket to be had with msh3, it is unclear how select shall work - manual test via "curl --http3 https://curl.se" fail with "empty reply from server". - Various socket/conn related cleanups: - Curl_socket is now Curl_socket_open and in cf-socket.c - Curl_closesocket is now Curl_socket_close and in cf-socket.c - Curl_ssl_use has been replaced with Cur_conn_is_ssl - Curl_conn_tcp_accepted_set has been split into Curl_conn_tcp_listen_set and Curl_conn_tcp_accepted_set with a clearer purpose Closes #10141
show more ...
|
#
ccf1ca94 |
| 22-Dec-2022 |
Daniel Stenberg |
libssh2: try sha2 algos for hostkey methods As is supported by recent libssh2, but should just be ignored by older versions. Reported-by: norbertmm on github Assisted-by: no
libssh2: try sha2 algos for hostkey methods As is supported by recent libssh2, but should just be ignored by older versions. Reported-by: norbertmm on github Assisted-by: norbertmm on github Fixes #10143 Closes #10145
show more ...
|
#
8fe33a96 |
| 05-Dec-2022 |
Michael Musset |
libssh2: return error when ssh_hostkeyfunc returns error return CURLE_PEER_FAILED_VERIFICATION if verification with the callback return a result different than CURLKHMATCH_OK Cl
libssh2: return error when ssh_hostkeyfunc returns error return CURLE_PEER_FAILED_VERIFICATION if verification with the callback return a result different than CURLKHMATCH_OK Closes #10034
show more ...
|
#
2d9fee45 |
| 23-Nov-2022 |
Daniel Gustafsson |
netware: remove leftover traces Commit 3b16575ae938dec2a29454631a12aa52b6ab9c67 removed support for building on Novell Netware, but a few leftover traces remained. This removes the l
netware: remove leftover traces Commit 3b16575ae938dec2a29454631a12aa52b6ab9c67 removed support for building on Novell Netware, but a few leftover traces remained. This removes the last bits. Closes: #9966 Reviewed-by: Daniel Stenberg <daniel@haxx.se>
show more ...
|
#
af22c2a5 |
| 22-Nov-2022 |
Stefan Eissing |
vtls: localization of state data in filters - almost all backend calls pass the Curl_cfilter intance instead of connectdata+sockindex - ssl_connect_data is remove from struct co
vtls: localization of state data in filters - almost all backend calls pass the Curl_cfilter intance instead of connectdata+sockindex - ssl_connect_data is remove from struct connectdata and made internal to vtls - ssl_connect_data is allocated in the added filter, kept at cf->ctx - added function to let a ssl filter access its ssl_primary_config and ssl_config_data this selects the propert subfields in conn and data, for filters added as plain or proxy - adjusted all backends to use the changed api - adjusted all backends to access config data via the exposed functions, no longer using conn or data directly cfilter renames for clear purpose: - methods `Curl_conn_*(data, conn, sockindex)` work on the complete filter chain at `sockindex` and connection `conn`. - methods `Curl_cf_*(cf, ...)` work on a specific Curl_cfilter instance. - methods `Curl_conn_cf()` work on/with filter instances at a connection. - rebased and resolved some naming conflicts - hostname validation (und session lookup) on SECONDARY use the same name as on FIRST (again). new debug macros and removing connectdata from function signatures where not needed. adapting schannel for new Curl_read_plain paramter. Closes #9919
show more ...
|
#
e9c580de |
| 17-Nov-2022 |
Daniel Stenberg |
lib: parse numbers with fixed known base 10 ... instead of using 0 argument that allows decimal, hex or octal when the number is documented and assumed to use base 10. Closes #9
lib: parse numbers with fixed known base 10 ... instead of using 0 argument that allows decimal, hex or octal when the number is documented and assumed to use base 10. Closes #9933
show more ...
|