IPFS: bugfixes

- Fixed endianness bug in gateway file parsing
- Use IPFS_PATH in tests where IPFS_DATA was used
- Fixed typos from traling -> trailing
- Fixed broken link in IPFS

IPFS: bugfixes

- Fixed endianness bug in gateway file parsing
- Use IPFS_PATH in tests where IPFS_DATA was used
- Fixed typos from traling -> trailing
- Fixed broken link in IPFS.md

Follow-up to 859e88f6533f9e

Reported-by: Michael Kaufmann
Bug: https://github.com/curl/curl/pull/12152#issuecomment-1798214137
Closes #12305

show more ...

VULN-DISCLOSURE-POLIC: remove broken link to hackerone

It should ideally soon not be done from hackerone anyway

Closes #12308

schannel: add CA cache support for files and memory blobs

- Support CA bundle and blob caching.

Cache timeout is 24 hours or can be set via CURLOPT_CA_CACHE_TIMEOUT.

Closes

schannel: add CA cache support for files and memory blobs

- Support CA bundle and blob caching.

Cache timeout is 24 hours or can be set via CURLOPT_CA_CACHE_TIMEOUT.

Closes https://github.com/curl/curl/pull/12261

show more ...

RELEASE-NOTES: synced

cmake: option to disable install & drop `curlu` target when unused

This patch makes the following changes:
- adds the option `CURL_DISABLE_INSTALL` - to disable 'install' targets.
-

cmake: option to disable install & drop `curlu` target when unused

This patch makes the following changes:
- adds the option `CURL_DISABLE_INSTALL` - to disable 'install' targets.
- Removes the target `curlu` when the option `BUILD_TESTING` is set to
`OFF` - to prevent it from being loaded in Visual Studio.

Closes #12287

show more ...

cmake: fix multiple include of CURL package

Fixes errors on second `find_package(CURL)`. This is a frequent case
with transitive dependencies:
```
CMake Error at ...:
add_l

cmake: fix multiple include of CURL package

Fixes errors on second `find_package(CURL)`. This is a frequent case
with transitive dependencies:
```
CMake Error at ...:
add_library cannot create ALIAS target "CURL::libcurl" because another
target with the same name already exists.
```

Test to reproduce:
```cmake
cmake_minimum_required(VERSION 3.27) # must be 3.18 or higher

project(curl)

set(CURL_DIR "example/lib/cmake/CURL/")
find_package(CURL CONFIG REQUIRED)
find_package(CURL CONFIG REQUIRED) # fails

add_executable(main main.c)
target_link_libraries(main CURL::libcurl)
```

Ref: https://cmake.org/cmake/help/latest/release/3.18.html#other-changes
Ref: https://cmake.org/cmake/help/v3.18/policy/CMP0107.html
Ref: #12300
Assisted-by: Harry Mallon
Closes #11913

show more ...

tidy-up: use `OPENSSL_VERSION_NUMBER`

Uniformly use `OPENSSL_VERSION_NUMBER` to check for OpenSSL version.
Before this patch some places used `OPENSSL_VERSION_MAJOR`.

Also fix `

tidy-up: use `OPENSSL_VERSION_NUMBER`

Uniformly use `OPENSSL_VERSION_NUMBER` to check for OpenSSL version.
Before this patch some places used `OPENSSL_VERSION_MAJOR`.

Also fix `lib/md4.c`, which included `opensslconf.h`, but that doesn't
define any version number in these implementations: BoringSSL, AWS-LC,
LibreSSL, wolfSSL. (Only in mainline OpenSSL/quictls). Switch that to
`opensslv.h`. This wasn't causing a deeper problem because the code is
looking for v3, which is only provided by OpenSSL/quictls as of now.

According to https://github.com/openssl/openssl/issues/17517, the macro
`OPENSSL_VERSION_NUMBER` is safe to use and not deprecated.

Reviewed-by: Marcel Raad
Closes #12298

show more ...

resolve.d: drop a multi use-sentence

Since the `multi:` keyword adds that message.

Reported-by: 積丹尼 Dan Jacobson
Fixes https://github.com/curl/curl/discussions/12294
Closes

resolve.d: drop a multi use-sentence

Since the `multi:` keyword adds that message.

Reported-by: 積丹尼 Dan Jacobson
Fixes https://github.com/curl/curl/discussions/12294
Closes #12295

show more ...

content_encoding: make Curl_all_content_encodings allocless

- Fixes a memory leak pointed out by Coverity
- Also found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=

content_encoding: make Curl_all_content_encodings allocless

- Fixes a memory leak pointed out by Coverity
- Also found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63947
- Avoids unncessary allocations

Follow-up ad051e1cbec68b2456a22661b

Closes #12289

show more ...

vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0

Some servers don't support the ALPN protocol "http/1.0" (e.g. IIS 10),
avoid it and use "http/1.1" instead.

This rever

vtls: use ALPN "http/1.1" for HTTP/1.x, including HTTP/1.0

Some servers don't support the ALPN protocol "http/1.0" (e.g. IIS 10),
avoid it and use "http/1.1" instead.

This reverts commit df856cb5c9 (#10183).

Fixes #12259
Closes #12285

show more ...

Makefile.am: drop vc10, vc11 and vc12 projects from dist

They are end of life products. Support for generating them remain in the
repo for a while but this change drops them from distrib

Makefile.am: drop vc10, vc11 and vc12 projects from dist

They are end of life products. Support for generating them remain in the
repo for a while but this change drops them from distribution.

Closes #12288

show more ...

projects: add VC14.20 project files

Windows projects included VC14, VC14.10, VC14.30 but not VC14.20.
OpenSSL and Wolf SSL scripts mention VC14.20 so I don't see a reason why
this is

projects: add VC14.20 project files

Windows projects included VC14, VC14.10, VC14.30 but not VC14.20.
OpenSSL and Wolf SSL scripts mention VC14.20 so I don't see a reason why
this is missing. Updated the templates to produce a VC14.20 project.
Project opens in Visual Studio 2019 as expected.

Closes #12282

show more ...

curl: move IPFS code into src/tool_ipfs.[ch]

- convert ensure_trailing into ensure_trailing_slash
- strdup the URL string to own it proper
- use shorter variable names
- combine

curl: move IPFS code into src/tool_ipfs.[ch]

- convert ensure_trailing into ensure_trailing_slash
- strdup the URL string to own it proper
- use shorter variable names
- combine some expressions
- simplify error handling in ipfs_gateway()
- add MAX_GATEWAY_URL_LEN + proper bailout if maximum is reached
- ipfs-gateway.d polish and simplification
- shorten ipfs error message + make them "synthetic"

Closes #12281

show more ...

build: delete support bits for obsolete Windows compilers

- Pelles C: Unclear status, failed to obtain a fresh copy a few months
ago. Possible website is HTTP-only. ~10 years ago I lef

build: delete support bits for obsolete Windows compilers

- Pelles C: Unclear status, failed to obtain a fresh copy a few months
ago. Possible website is HTTP-only. ~10 years ago I left this compiler
dealing with crashes and other issues with no response on the forum
for years. It has seen some activity in curl back in 2021.
- LCC: Last stable release in September 2002.
- Salford C: Misses winsock2 support, possibly abandoned? Last mentioned
in 2006.
- Borland C++: We dropped Borland C++ support in 2018.
- MS Visual C++ 6.0: Released in 1998. curl already requires VS 2010
(or possibly 2008) as a minimum.

Closes #12222

show more ...

build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H`

We use `stdint.h` unconditionally in all places except one. These uses
are imposed by external dependencies / features. nghttp2, quic,

build: delete `HAVE_STDINT_H` and `HAVE_INTTYPES_H`

We use `stdint.h` unconditionally in all places except one. These uses
are imposed by external dependencies / features. nghttp2, quic, wolfSSL
and `HAVE_MACH_ABSOLUTE_TIME` do require this C99 header. It means that
any of these features make curl require a C99 compiler. (In case of
MSVC, this means Visual Studio 2010 or newer.)

This patch changes the single use of `stdint.h` guarded by
`HAVE_STDINT_H` to use `stdint.h` unconditionally. Also stop using
`inttypes.h` as an alternative there. `HAVE_INTTYPES_H` wasn't used
anywhere else, allowing to delete this feature check as well.

Closes #12275

show more ...

tool_operate: do not mix memory models

Make sure 'inputpath' only points to memory allocated by libcurl so that
curl_free works correctly.

Pointed out by Coverity

Follo

tool_operate: do not mix memory models

Make sure 'inputpath' only points to memory allocated by libcurl so that
curl_free works correctly.

Pointed out by Coverity

Follow-up to 859e88f6533f9e1f890

Closes #12280

show more ...

lib: client writer, part 2, accounting + logging

This PR has these changes:

Renaming of unencode_* to cwriter, e.g. client writers
- documentation of sendf.h functions
- mov

lib: client writer, part 2, accounting + logging

This PR has these changes:

Renaming of unencode_* to cwriter, e.g. client writers
- documentation of sendf.h functions
- move max decode stack checks back to content_encoding.c
- define writer phase which was used as order before
- introduce phases for monitoring inbetween decode phases
- offering default implementations for init/write/close

Add type paramter to client writer's do_write()
- always pass all writes through the writer stack
- writers who only care about BODY data will pass other writes unchanged

add RAW and PROTOCOL client writers
- RAW used for Curl_debug() logging of CURLINFO_DATA_IN
- PROTOCOL used for updates to data->req.bytecount, max_filesize checks and
Curl_pgrsSetDownloadCounter()
- remove all updates of data->req.bytecount and calls to
Curl_pgrsSetDownloadCounter() and Curl_debug() from other code
- adjust test457 expected output to no longer see the excess write

Closes #12184

show more ...

VULN-DISCLOSURE-POLICY: escape sequences are not a security flaw

Closes #12278

rand: fix build error with autotools + LibreSSL

autotools unexpectedly detects `arc4random` because it is also looking
into dependency libs. One dependency, LibreSSL, happens to publish

rand: fix build error with autotools + LibreSSL

autotools unexpectedly detects `arc4random` because it is also looking
into dependency libs. One dependency, LibreSSL, happens to publish an
`arc4random` function (via its shared lib before v3.7, also via static
lib as of v3.8.2). When trying to use this function in `lib/rand.c`,
its protoype is missing. To fix that, curl included a prototype, but
that used a C99 type without including `stdint.h`, causing:

```
../../lib/rand.c:37:1: error: unknown type name 'uint32_t'
37 | uint32_t arc4random(void);
| ^
1 error generated.
```

This patch improves this by dropping the local prototype and instead
limiting `arc4random` use for non-OpenSSL builds. OpenSSL builds provide
their own random source anyway.

The better fix would be to teach autotools to not link dependency libs
while detecting `arc4random`.

LibreSSL publishing a non-namespaced `arc4random` tracked here:
https://github.com/libressl/portable/issues/928

Regression from 755ddbe901cd0c921fbc3ac5b3775c0dc683bc73 #10672

Reviewed-by: Daniel Stenberg
Fixes #12257
Closes #12274

show more ...

RELEASE-NOTES: synced

strdup: do Curl_strndup without strncpy

To avoid (false positive) gcc-13 compiler warnings.

Follow-up to 4855debd8a2c1cb

Assisted-by: Jay Satiro
Reported-by: Viktor Sza

strdup: do Curl_strndup without strncpy

To avoid (false positive) gcc-13 compiler warnings.

Follow-up to 4855debd8a2c1cb

Assisted-by: Jay Satiro
Reported-by: Viktor Szakats
Fixes #12258

show more ...

HTTP: fix empty-body warning

This change fixes a compiler warning with gcc-12.2.0 when
`-DCURL_DISABLE_BEARER_AUTH=ON` is used.

/home/tox/src/curl/lib/http.c: In function 'C

HTTP: fix empty-body warning

This change fixes a compiler warning with gcc-12.2.0 when
`-DCURL_DISABLE_BEARER_AUTH=ON` is used.

/home/tox/src/curl/lib/http.c: In function 'Curl_http_input_auth':
/home/tox/src/curl/lib/http.c:1147:12: warning: suggest braces around empty body in an 'else' statement [-Wempty-body]
1147 | ;
| ^

Closes #12262

show more ...

openssl: identify the "quictls" backend correctly

Since vanilla OpenSSL does not support the QUIC API I think it helps
users to identify the correct OpenSSL fork in version output. The b

openssl: identify the "quictls" backend correctly

Since vanilla OpenSSL does not support the QUIC API I think it helps
users to identify the correct OpenSSL fork in version output. The best
(crude) way to do that right now seems to be to check if ngtcp2 support
is enabled.

Closes #12270

show more ...

curl: improved IPFS and IPNS URL support

Previously just ipfs://<cid> and ipns://<cid> was supported, which is
too strict for some usecases.

This patch allows paths and query ar

curl: improved IPFS and IPNS URL support

Previously just ipfs://<cid> and ipns://<cid> was supported, which is
too strict for some usecases.

This patch allows paths and query arguments to be used too.
Making this work according to normal http semantics:

ipfs://<cid>/foo/bar?key=val
ipns://<cid>/foo/bar?key=val

The gateway url support is changed.
It now only supports gateways in the form of:

http://<gateway>/foo/bar
http://<gateway>

Query arguments here are explicitly not allowed and trigger an intended
malformed url error.

There also was a crash when IPFS_PATH was set with a non trailing
forward slash. This has been fixed.

Lastly, a load of test cases have been added to verify the above.

Reported-by: Steven Allen
Fixes #12148
Closes #12152

show more ...

docs: KNOWN_BUGS cleanup

* Remove other mention of hyper memory-leaks from `KNOWN_BUGS`.
Should have been removed in 629723ecf22a8eae78d64cceec2f3bdae703ec95

* Remove mention

docs: KNOWN_BUGS cleanup

* Remove other mention of hyper memory-leaks from `KNOWN_BUGS`.
Should have been removed in 629723ecf22a8eae78d64cceec2f3bdae703ec95

* Remove mention of aws-sigv4 sort query string from `KNOWN_BUGS`.
Fixed in #11806

* Remove mention of aws-sigv4 query empty value problems

* Remove mention of aws-sigv4 missing amz-content-sha256
Fixed in #9995

show more ...