http: fix `-Wunused-variable` compiler warning

Fix compiler warnings in builds with disabled auths, NTLM and SPNEGO.

E.g. with `CURL_DISABLE_BASIC_AUTH` + `CURL_DISABLE_BEARER_AUTH`

http: fix `-Wunused-variable` compiler warning

Fix compiler warnings in builds with disabled auths, NTLM and SPNEGO.

E.g. with `CURL_DISABLE_BASIC_AUTH` + `CURL_DISABLE_BEARER_AUTH` +
`CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_NEGOTIATE_AUTH` +
`CURL_DISABLE_NTLM` on non-Windows.

```
./curl/lib/http.c:737:12: warning: unused variable 'result' [-Wunused-variable]
CURLcode result = CURLE_OK;
^
./curl/lib/http.c:995:18: warning: variable 'availp' set but not used [-Wunused-but-set-variable]
unsigned long *availp;
^
./curl/lib/http.c:996:16: warning: variable 'authp' set but not used [-Wunused-but-set-variable]
struct auth *authp;
^
```

Regression from e92edfbef64448ef461117769881f3ed776dec4e #11490

Fixes #12228
Closes #12335

show more ...

tool: support bold headers in Windows

- If virtual terminal processing is enabled in Windows then use ANSI
escape codes Esc[1m and Esc[22m to turn bold on and off.

Suggested-b

tool: support bold headers in Windows

- If virtual terminal processing is enabled in Windows then use ANSI
escape codes Esc[1m and Esc[22m to turn bold on and off.

Suggested-by: Gisle Vanem

Ref: https://github.com/curl/curl/discussions/11770

Closes https://github.com/curl/curl/pull/12321

show more ...

build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS`

Builds with libssh2 + `-DCURL_DISABLE_DIGEST_AUTH=ON` +
`-DCURL_DISABLE_AWS=ON` in combination with either Schannel o

build: fix libssh2 + `CURL_DISABLE_DIGEST_AUTH` + `CURL_DISABLE_AWS`

Builds with libssh2 + `-DCURL_DISABLE_DIGEST_AUTH=ON` +
`-DCURL_DISABLE_AWS=ON` in combination with either Schannel on Windows,
or `-DCURL_DISABLE_NTLM=ON` on other operating systems failed while
compiling due to a missing HMAC declaration.

The reason is that HMAC is required by `lib/sha256.c` which publishes
`Curl_sha256it()` which is required by `lib/vssh/libssh2.c` when
building for libssh2 v1.8.2 (2019-05-25) or older.

Make sure to compile the HMAC bits for a successful build.

Both HMAC and `Curl_sha256it()` rely on the same internals, so splitting
them into separate sources isn't practical.

Fixes:
```
[...]
In file included from ./curl/_x64-win-ucrt-cmake-llvm-bld/lib/CMakeFiles/libcurl_object.dir/Unity/unity_0_c.c:310:
./curl/lib/sha256.c:527:42: error: array has incomplete element type 'const struct HMAC_params'
527 | const struct HMAC_params Curl_HMAC_SHA256[] = {
| ^
./curl/lib/curl_sha256.h:34:21: note: forward declaration of 'struct HMAC_params'
[...]
```

Regression from e92edfbef64448ef461117769881f3ed776dec4e #11490

Fixes #12273
Closes #12332

show more ...

duphandle: also free 'outcurl->cookies' in error path

Fixes memory-leak when OOM mid-function

Use plain free instead of safefree, since the entire struct is
freed below.

duphandle: also free 'outcurl->cookies' in error path

Fixes memory-leak when OOM mid-function

Use plain free instead of safefree, since the entire struct is
freed below.

Remove some free calls that is already freed in Curl_freeset()

Closes #12329

show more ...

config-win32: set `HAVE_SNPRINTF` for mingw-w64

It's available in all mingw-w64 releases. We already pre-fill this
detection in CMake.

Closes #12325

sasl: fix `-Wunused-function` compiler warning

In builds with disabled auths.

```
lib/curl_sasl.c:266:17: warning: unused function 'get_server_message' [-Wunused-function]
s

sasl: fix `-Wunused-function` compiler warning

In builds with disabled auths.

```
lib/curl_sasl.c:266:17: warning: unused function 'get_server_message' [-Wunused-function]
static CURLcode get_server_message(struct SASL *sasl, struct Curl_easy *data,
^
1 warning generated.
```
Ref: https://github.com/curl/trurl/actions/runs/6871732122/job/18689066151#step:3:3822

Reviewed-by: Daniel Stenberg
Closes #12326

show more ...

build: picky warning updates

- cmake: sync some picky gcc warnings with autotools.
- cmake, autotools: add `-Wold-style-definition` for clang too.
- cmake: more precise version info

build: picky warning updates

- cmake: sync some picky gcc warnings with autotools.
- cmake, autotools: add `-Wold-style-definition` for clang too.
- cmake: more precise version info for old clang options.
- cmake: use `IN LISTS` syntax in `foreach()`.

Reviewed-by: Daniel Stenberg
Reviewed-by: Marcel Raad
Closes #12324

show more ...

urldata: move cookielist from UserDefined to UrlState

1. Because the value is not strictly set with a setopt option.

2. Because otherwise when duping a handle when all the set.* fie

urldata: move cookielist from UserDefined to UrlState

1. Because the value is not strictly set with a setopt option.

2. Because otherwise when duping a handle when all the set.* fields are
first copied and an error happens (think out of memory mid-function),
the function would easily free the list *before* it was deep-copied,
which could lead to a double-free.

Closes #12323

show more ...

autotools: avoid passing `LDFLAGS` twice to libcurl

autotools passes `LDFLAGS` automatically linker commands. curl's
`lib/Makefile.am` customizes libcurl linker flags. In that
custom

autotools: avoid passing `LDFLAGS` twice to libcurl

autotools passes `LDFLAGS` automatically linker commands. curl's
`lib/Makefile.am` customizes libcurl linker flags. In that
customization, it added `LDFLAGS` to the custom flags. This resulted in
passing `LDFLAGS` _twice_ to the `libtool` command.

Most of the time this is benign, but some `LDFLAGS` options can break
the build when passed twice. One such example is passing `.o` files,
e.g. `crt*.o` files necessary when customizing the C runtime, e.g. for
MUSL builds.

Passing them twice resulted in duplicate symbol errors:
```
libtool: link: clang-15 --target=aarch64-unknown-linux-musl [...] /usr/lib/aarch64-linux-musl/crt1.o [...] /usr/lib/aarch64-linux-musl/crt1.o [...]
ld.lld-15: error: duplicate symbol: _start
>>> defined at crt1.c
>>> /usr/lib/aarch64-linux-musl/crt1.o:(.text+0x0)
>>> defined at crt1.c
>>> /usr/lib/aarch64-linux-musl/crt1.o:(.text+0x0)
[...]
clang: error: linker command failed with exit code 1 (use -v to see invocation)
```

This behaviour came with commit 1a593191c2769a47b8c3e4d9715ec9f6dddf5e36
(2013-07-23) as a fix for bug https://curl.haxx.se/bug/view.cgi?id=1217.
The patch was a works-for-me hack that ended up merged in curl:
https://sourceforge.net/p/curl/bugs/1217/#06ef
With the root cause remaining unclear.

Perhaps the SUNPro 12 linker was sensitive to `-L` `-l` order, requiring
`-L` first? This would be unusual and suggests a bug in either the
linker or in `libtool`.

The curl build does pass the list of detected libs via its own
`LIBCURL_LIBS` variable, which ends up before `LDFLAGS` on the `libtool`
command line, but it's the job of `libtool` to ensure that even
a peculiar linker gets the options in the expected order. Also because
autotools passes `LDFLAGS` last, making it hardly possible to pass
anything after it.

Perhaps in the 10 years since this issue, this already got a fix
upstream.

This patch deletes `LDFLAGS` from our customized libcurl options,
leaving a single copy of them as passed by autotools automatically.

Reverts 1a593191c2769a47b8c3e4d9715ec9f6dddf5e36
Closes #12310

show more ...

autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}`

To allow passing `LDFLAGS` specific to libcurl (`CURL_LDFLAGS_LIB`) and
curl tool (`CURL_LDFLAGS_BIN`).

This makes it

autotools: accept linker flags via `CURL_LDFLAGS_{LIB,BIN}`

To allow passing `LDFLAGS` specific to libcurl (`CURL_LDFLAGS_LIB`) and
curl tool (`CURL_LDFLAGS_BIN`).

This makes it possible to build libcurl and curl with a single
invocation with lib- and tool-specific custom linker flags.

Such flag can be enabling `.map` files, a `.def` file for libcurl DLL,
controlling static/shared, incl. requesting a static curl tool (with
`-static-libtool-libs`) while building both shared and static libcurl.

curl-for-win uses the above and some more.

These options are already supported in `Makefile.mk`. CMake has built-in
variables for this.

Closes #12312

show more ...

tool_cb_hdr: add an additional parsing check

- Don't dereference the past-the-end element when parsing the server's
Content-disposition header.

As 'p' is advanced it can point

tool_cb_hdr: add an additional parsing check

- Don't dereference the past-the-end element when parsing the server's
Content-disposition header.

As 'p' is advanced it can point to the past-the-end element and prior
to this change 'p' could be dereferenced in that case.

Technically the past-the-end element is not out of bounds because dynbuf
(which manages the header line) automatically adds a null terminator to
every buffer and that is not included in the buffer length passed to
the header callback.

Closes https://github.com/curl/curl/pull/12320

show more ...

.cirrus.yml: freebsd 14

ensure curl works on latest freebsd version

Closes #12053

easy: in duphandle, init the cookies for the new handle

... not the source handle.

Closes #12318

duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set

Previously it would unconditionally use the size, which is set to -1
when strlen is requested.

Updated test 544

duphandle: use strdup to clone *COPYPOSTFIELDS if size is not set

Previously it would unconditionally use the size, which is set to -1
when strlen is requested.

Updated test 544 to verify.

Closes #12317

show more ...

RELEASE-NOTES: synced

curl_easy_duphandle.3: clarify how HSTS and alt-svc are duped

Closes #12315

urldata: move hstslist from 'set' to 'state'

To make it work properly with curl_easy_duphandle(). This, because
duphandle duplicates the entire 'UserDefined' struct by plain copy while

urldata: move hstslist from 'set' to 'state'

To make it work properly with curl_easy_duphandle(). This, because
duphandle duplicates the entire 'UserDefined' struct by plain copy while
'hstslist' is a linked curl_list of file names. This would lead to a
double-free when the second of the two involved easy handles were
closed.

Closes #12315

show more ...

test1900: verify duphandle with HSTS using multiple files

Closes #12315

http: allow longer HTTP/2 request method names

- Increase the maximum request method name length from 11 to 23.

For HTTP/1.1 and earlier there's not a specific limit in libcurl for

http: allow longer HTTP/2 request method names

- Increase the maximum request method name length from 11 to 23.

For HTTP/1.1 and earlier there's not a specific limit in libcurl for
method length except that it is limited by the initial HTTP request
limit (DYN_HTTP_REQUEST). Prior to fc2f1e54 HTTP/2 was treated the same
and there was no specific limit.

According to Internet Assigned Numbers Authority (IANA) the longest
registered method is UPDATEREDIRECTREF which is 17 characters.

Also there are unregistered methods used by some companies that are
longer than 11 characters.

The limit was originally added by 61f52a97 but not used until fc2f1e54.

Ref: https://www.iana.org/assignments/http-methods/http-methods.xhtml

Closes https://github.com/curl/curl/pull/12311

show more ...

CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does

- Add an explanation of the CURL_BLOB_COPY flag to CURLOPT_CAINFO_BLOB
and CURLOPT_PROXY_CAINFO_BLOB docs.

All the othe

CURLOPT_CAINFO_BLOB.3: explain what CURL_BLOB_COPY does

- Add an explanation of the CURL_BLOB_COPY flag to CURLOPT_CAINFO_BLOB
and CURLOPT_PROXY_CAINFO_BLOB docs.

All the other _BLOB option docs already have the same explanation.

Closes https://github.com/curl/curl/pull/12277

show more ...

tidy-up: dedupe Windows system libs in cmake

Reviewed-by: Daniel Stenberg
Closes #12307

ci: test with latest quiche release (0.19.0)

Closes #12180

quiche: use quiche_conn_peer_transport_params()

In recent quiche, transport parameter API is separated
with quiche_conn_peer_transport_params().
(https://github.com/cloudflare/quiche

quiche: use quiche_conn_peer_transport_params()

In recent quiche, transport parameter API is separated
with quiche_conn_peer_transport_params().
(https://github.com/cloudflare/quiche/pull/1575)
It breaks with bulding with latest(post 0.18.0) quiche.

Closes #12180

show more ...

Makefile: generate the VC 14.20 project files at dist-time

Follow-up to 28287092cc5a6d6ef8 (#12282)

Closes #12290

misc: fix -Walloc-size warnings

GCC 14 introduces a new -Walloc-size included in -Wextra which gives:

```
src/tool_operate.c: In function ‘add_per_transfer’:
src/tool_operat

misc: fix -Walloc-size warnings

GCC 14 introduces a new -Walloc-size included in -Wextra which gives:

```
src/tool_operate.c: In function ‘add_per_transfer’:
src/tool_operate.c:213:5: warning: allocation of insufficient size ‘1’ for type ‘struct per_transfer’ with size ‘480’ [-Walloc-size]
213 | p = calloc(sizeof(struct per_transfer), 1);
| ^
src/var.c: In function ‘addvariable’:
src/var.c:361:5: warning: allocation of insufficient size ‘1’ for type ‘struct var’ with size ‘32’ [-Walloc-size]
361 | p = calloc(sizeof(struct var), 1);
| ^
```

The calloc prototype is:
```
void *calloc(size_t nmemb, size_t size);
```

So, just swap the number of members and size arguments to match the
prototype, as we're initialising 1 struct of size `sizeof(struct
...)`. GCC then sees we're not doing anything wrong.

Closes #12292

show more ...