sasl: make login option string override http auth

- Use http authentication mechanisms as a default, not a preset.

Consider http authentication options which are mapped to SASL opti

sasl: make login option string override http auth

- Use http authentication mechanisms as a default, not a preset.

Consider http authentication options which are mapped to SASL options as
a default (overriding the hardcoded default mask for the protocol) that
is ignored if a login option string is given.

Prior to this change, if some HTTP auth options were given, sasl mapped
http authentication options to sasl ones but merged them with the login
options.

That caused problems with the cli tool that sets the http login option
CURLAUTH_BEARER as a side-effect of --oauth2-bearer, because this flag
maps to more than one sasl mechanisms and the latter cannot be cleared
individually by the login options string.

New test 992 checks this.

Fixes https://github.com/curl/curl/issues/10259
Closes https://github.com/curl/curl/pull/12790

show more ...

socks: use own buffer instead of data->state.buffer

Closes #12788

socks: fix generic output string to say SOCKS instead of SOCKS4

... since it was also logged for SOCKS5.

Closes #12797

test742: test SOCKS5 with max length user, password and hostname

Adjusted the socksd server accordingly to allow for configuring that
long user name and password.

Closes #12797

ssh: use stack scratch buffer for seeks

- instead of data->state.buffer

Closes #12794

krb5: access the response buffer correctly

As the pingpong code no longer uses the download buffer.

Folllow-up to c2d973627bab12ab
Pointed-out-by: Stefan Eissing
Closes #127

krb5: access the response buffer correctly

As the pingpong code no longer uses the download buffer.

Folllow-up to c2d973627bab12ab
Pointed-out-by: Stefan Eissing
Closes #12796

show more ...

mqtt: use stack scratch buffer for recv+publish

- instead of data->state.buffer

Closes #12792

telnet, use stack scratch buffer for do

- instead of data->state.buffer

Closes #12793

http, use stack scratch buffer

- instead of data->state.buffer

Closes #12791

ntlm_wb: do not use data->state.buf any longer

Closes #12787

gitignore: the generated `libcurl-symbols.md`

Closes #12795

tool: fix the listhelp generation command

The previous command line to generate the tool_listhelp.c source file
broke with 2494b8dd5175cee7.

Make 'make listhelp' invoked in src/

tool: fix the listhelp generation command

The previous command line to generate the tool_listhelp.c source file
broke with 2494b8dd5175cee7.

Make 'make listhelp' invoked in src/ generate it. Also update the
comment in the file to mention the right procedure.

Closes #12786

show more ...

http: check for "Host:" case insensitively

When checking if the user wants to replace the header, the check should
be case insensitive.

Adding test 461 to verify

Found-

http: check for "Host:" case insensitively

When checking if the user wants to replace the header, the check should
be case insensitive.

Adding test 461 to verify

Found-by: Dan Fandrich
Ref: #12782
Closes #12784

show more ...

configure: add libngtcp2_crypto_boringssl detection

If OpenSSL is found to be BoringSSL or AWS-LC, and ngtcp2 is requested,
try to detect libngtcp2_crypto_boringssl.

Reported-by

configure: add libngtcp2_crypto_boringssl detection

If OpenSSL is found to be BoringSSL or AWS-LC, and ngtcp2 is requested,
try to detect libngtcp2_crypto_boringssl.

Reported-by: ウさん
Fixes #12724
Closes #12769

show more ...

http: remove comment reference to a removed solution

Follow-up to 58974d25d

Closes #12785

pytest: Scorecard tracking CPU and RSS

Closes #12765

GHA: bump ngtcp2, gnutls, mod_h2, quiche

- ngtcp2 to v1.2.0
- gnutls to 3.8.3
- mod_h2 to 2.0.26
- quiche to 0.20.0

Closes #12778
Closes #12779
Closes #12780

GHA: bump ngtcp2, gnutls, mod_h2, quiche

- ngtcp2 to v1.2.0
- gnutls to 3.8.3
- mod_h2 to 2.0.26
- quiche to 0.20.0

Closes #12778
Closes #12779
Closes #12780
Closes #12781

show more ...

ftpserver.pl: send 213 SIZE response without spurious newline

pingpong: stop using the download buffer

The pingpong logic now uses its own dynbuf for receiving command
response data.

When the "final" response header for a commanad has been

pingpong: stop using the download buffer

The pingpong logic now uses its own dynbuf for receiving command
response data.

When the "final" response header for a commanad has been received, that
final line is left first in the recvbuf for the protocols to parse at
will. If there is additional data behind the final response line, the
'overflow' counter is indicate how many bytes.

Closes #12757

show more ...

gen.pl: remove bold from .IP used for ##

Reported-by: Viktor Szakats
Fixes #12776
Closes #12777

cmake: rework options to enable curl and libcurl docs

Rework CMake options for building/using curl tool and libcurl manuals.

- rename `ENABLE_MANUAL` to `ENABLE_CURL_MANUAL`, meanin

cmake: rework options to enable curl and libcurl docs

Rework CMake options for building/using curl tool and libcurl manuals.

- rename `ENABLE_MANUAL` to `ENABLE_CURL_MANUAL`, meaning:
to build man page and built-in manual for curl tool.

- rename `BUILD_DOCS` to `BUILD_LIBCURL_DOCS`, meaning:
to build man pages for libcurl.

- `BUILD_LIBCURL_DOCS` now works without having to enable
`ENABLE_CURL_MANUAL` too.

- drop support for existing CMake-level `USE_MANUAL` option to avoid
confusion. (It used to work with the effect of current
`ENABLE_CURL_MANUAL`, but only by accident.)

Assisted-by: Richard Levitte
Ref: #12771
Closes #12773

show more ...

urlapi: remove assert

This assert triggers wrongly when CURLU_GUESS_SCHEME and
CURLU_NO_AUTHORITY are both set and the URL is a single path.

I think this assert has played out i

urlapi: remove assert

This assert triggers wrongly when CURLU_GUESS_SCHEME and
CURLU_NO_AUTHORITY are both set and the URL is a single path.

I think this assert has played out its role. It was introduced in a
rather big refactor.

Follow-up to 4cfa5bcc9a

Reported-by: promptfuzz_ on hackerone
Closes #12775

show more ...

tests: avoid int/size_t conversion size/sign warnings

Closes #12768

GHA: add a job scanning for "bad words" in markdown

This means words, phrases or things we have decided not to use - words that
are spelled right according to the dictionary but we want

GHA: add a job scanning for "bad words" in markdown

This means words, phrases or things we have decided not to use - words that
are spelled right according to the dictionary but we want to avoid. In the
name of consistency and better documentation.

Closes #12764

show more ...

cmake: speed up curldown processing, enable by default

- cmake: enable `BUILD_DOCS` by default (this controls converting and
installing `.3` files from `.md` sources)

- cmake:

cmake: speed up curldown processing, enable by default

- cmake: enable `BUILD_DOCS` by default (this controls converting and
installing `.3` files from `.md` sources)

- cmake: speed up generating `.3` files by using a single command per
directory, instead of a single command per file. This reduces external
commands by about a thousand. (There remains some CMake logic kicking
in resulting in 500 -one per file- external `-E touch_nocreate` calls.)

- cd2nroff: add ability to process multiple input files.

- cd2nroff: add `-k` option to use the source filename to form the
output filename. (instead of the default in-file `Title:` line.)

Follow-up to 3f08d80b2244524646ce86915c585509ac54fb4c
Follow-up to ea0b575dab86a3c44dd1d547dc500276266aa382 #12753
Follow-up to eefcc1bda4bccd800f5a56a0fe17a2f44a96e88b #12730

Closes #12762

show more ...