cmake: replace `check_library_exists_concat()`

The idea of `check_library_exists_concat()` is that it detects an
optional component and adds it to the list of libs that we also use in

cmake: replace `check_library_exists_concat()`

The idea of `check_library_exists_concat()` is that it detects an
optional component and adds it to the list of libs that we also use in
subsequent component checks. This caused problems when detecting
components with unnecessary dependencies that were not yet built.

CMake offers the `CMAKE_REQUIRED_LIBRARIES` variable to set libs used
for component checks, which we already use in most cases. That left 4
uses of `check_library_exists_concat()`. Only one of these actually
needed the 'concat' feature (ldap/lber).

Delete this function and replace it with standard
`check_library_exists()` and manual management of our `CURL_LIBS`
list we use when linking build targets. And special logic to handle the
ldap/lber case.

(We have a similar function for headers: `check_include_file_concat()`.
It works, but problematic for performance reasons and because it hides
the actual headers required in `check_symbol_exists()` calls.)

Ref: #11537 #11558
Fixes #11285
Fixes #11648
Closes #12070

show more ...

tool_cb_wrt: fix write output for very old Windows versions

- Pass missing parameter for 'lpNumberOfCharsWritten' to WriteConsoleW()
function.

Apparently this parameter was *n

tool_cb_wrt: fix write output for very old Windows versions

- Pass missing parameter for 'lpNumberOfCharsWritten' to WriteConsoleW()
function.

Apparently this parameter was *not* optional on older Windows versions.

Issue observed on Windows XP SP2. Issue not observed on Windows 7 SP1.
So at some point between those two Microsoft changed the behavior.

Prior to this change, on those versions if parameter is NULL then the
function call fails with error ERROR_INVALID_ACCESS.

Regression since af3f4e41.

Ref: https://github.com/MicrosoftDocs/Console-Docs/issues/299

Fixes https://github.com/curl/curl/issues/12131
Closes https://github.com/curl/curl/pull/12130

show more ...

tool_urlglob: fix build for old gcc versions

- Don't use __builtin_mul_overflow for GCC 4 and earlier.

The function was added in GCC 5.

Ref: https://gcc.gnu.org/gcc-5/chang

tool_urlglob: fix build for old gcc versions

- Don't use __builtin_mul_overflow for GCC 4 and earlier.

The function was added in GCC 5.

Ref: https://gcc.gnu.org/gcc-5/changes.html

Reported-by: Dan Fandrich

Fixes https://github.com/curl/curl/issues/12124
Closes https://github.com/curl/curl/pull/12128

show more ...

docs/libcurl: fix three minor man page format mistakes

Reported-by: Samuel Henrique

Closes https://github.com/curl/curl/pull/12126

tests/server: add more SOCKS5 handshake error checking

- Add additional checking for missing and too-short SOCKS5 handshake
messages.

Prior to this change the SOCKS5 test serv

tests/server: add more SOCKS5 handshake error checking

- Add additional checking for missing and too-short SOCKS5 handshake
messages.

Prior to this change the SOCKS5 test server did not check that all parts
of the handshake were received successfully. If those parts were missing
or too short then the server would access uninitialized memory.

This issue was discovered in CI job 'memory-sanitizer' test results.
Test 2055 was failing due to the SOCKS5 test server not running. It was
not running because either it crashed or memory sanitizer aborted it
during Test 728. Test 728 connects to the SOCKS5 test server on a
redirect but does not send any data on purpose. The test server was not
prepared for that.

Reported-by: Dan Fandrich

Fixes https://github.com/curl/curl/issues/12117
Closes https://github.com/curl/curl/pull/12118

show more ...

RELEASE-NOTES: synced

tool_getparam: limit --rate to be smaller than number of ms

Currently, curl allows users to specify absurd request rates that might
be higher than the number of milliseconds in the unit

tool_getparam: limit --rate to be smaller than number of ms

Currently, curl allows users to specify absurd request rates that might
be higher than the number of milliseconds in the unit (ex: curl --rate
3600050/h http://localhost:8080 does not error out despite there being
only 3600000ms in a hour).

This change adds a conditional check before the millisecond calculation
making sure that the number is not higher than the numerator (the unit)
If the number is higher, curl errors out with PARAM_NUMBER_TOO_LARGE

Closes #12116

show more ...

opts: fix two minor man page format mistakes

curl_trc: remove a bad assertion

- Remove DEBUGASSERT that an internal handle must not have user
private_data set before calling the user's debug callback.

This is a follow-up

curl_trc: remove a bad assertion

- Remove DEBUGASSERT that an internal handle must not have user
private_data set before calling the user's debug callback.

This is a follow-up to 0dc40b2a. The user can distinguish their easy
handle from an internal easy handle by setting CURLOPT_PRIVATE on their
easy handle. I had wrongly assumed that meant the user couldn't then
set CURLOPT_PRIVATE on an internal handle as well.

Bug: https://github.com/curl/curl/pull/12060#issuecomment-1754594697
Reported-by: Daniel Stenberg

Closes https://github.com/curl/curl/pull/12104

show more ...

test613: stop showing an error on missing output file

This test would show an error message if the output was missing during
the log post-processing step, but the message was not capture

test613: stop showing an error on missing output file

This test would show an error message if the output was missing during
the log post-processing step, but the message was not captured by the
test harness and wasn't useful since the normal golden log file
comparison would the problem more clearly.

show more ...

quic: manage connection idle timeouts

- configure a 120s idle timeout on our side of the connection
- track the timestamp when actual socket IO happens
- check IO timestamp to our *a

quic: manage connection idle timeouts

- configure a 120s idle timeout on our side of the connection
- track the timestamp when actual socket IO happens
- check IO timestamp to our *and* the peer's idle timeouts
in "is this connection alive" checks

Reported-by: calvin2021y on github
Fixes #12064
Closes #12077

show more ...

CI: ignore test 286 on Appveyor gcc 9 build

This test fails sometimes with a super fast retry loop due to what may
just be a compiler bug. The test results are ignored on the one CI job

CI: ignore test 286 on Appveyor gcc 9 build

This test fails sometimes with a super fast retry loop due to what may
just be a compiler bug. The test results are ignored on the one CI job
where it occurs because there seems to be nothing we can do to fix it.

Fixes #12040
Closes #12106

show more ...

lib: fix gcc warning in printf call

Do not pass NULL to printf %s.

Seen with gcc 13.2.0 on Debian:
```
.../curl/lib/connect.c:696:27: warning: '%s' directive argument is nul

lib: fix gcc warning in printf call

Do not pass NULL to printf %s.

Seen with gcc 13.2.0 on Debian:
```
.../curl/lib/connect.c:696:27: warning: '%s' directive argument is null [-Wformat-overflow=]
```
Ref: https://github.com/curl/curl-for-win/actions/runs/6476161689/job/17584426483#step:3:11104

Ref: #10284
Co-authored-by: Jay Satiro
Closes #12082

show more ...

http2: safer invocation of populate_binsettings

populate_binsettings now returns a negative value on error, instead of a
huge positive value. Both places which call this function have be

http2: safer invocation of populate_binsettings

populate_binsettings now returns a negative value on error, instead of a
huge positive value. Both places which call this function have been
updated to handle this change in its contract.

The way populate_binsettings had been used prior to this change the huge
positive values -- due to signed->unsigned conversion of the potentially
negative result of nghttp2_pack_settings_payload which returns negative
values on error -- are not possible. But only because http2.c currently
always provides a large enough output buffer and provides H2 SETTINGS
IVs which pass the verification logic inside nghttp2. If the
verification logic were to change or if http2.c started passing in more
IVs without increasing the output buffer size, the overflow could become
reachable, and libcurl/curl might start leaking memory contents to
servers/proxies...

Closes #12101

show more ...

openssl: avoid BN_num_bits() NULL pointer derefs

Reported-by: icy17 on github
Fixes #12099
Closes #12100

wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA

This define is set in wolfssl's options.h file when this function and
feature is present. Handles both builds with the feature

wolfssl: require WOLFSSL_SYS_CA_CERTS for loading system CA

This define is set in wolfssl's options.h file when this function and
feature is present. Handles both builds with the feature explicitly
disabled and wolfSSL versions before 5.5.2 - which introduced this API
call.

Closes #12108

show more ...

tool_urlglob: make multiply() bail out on negative values

- Does not work correctly with negative values
- use __builtin_mul_overflow() on gcc

Reported-by: Torben Dury
Close

tool_urlglob: make multiply() bail out on negative values

- Does not work correctly with negative values
- use __builtin_mul_overflow() on gcc

Reported-by: Torben Dury
Closes #12102

show more ...

cmake: fix CURL_DISABLE_GETOPTIONS

- Add CURL_DISABLE_GETOPTIONS to curl_config.h.cmake.

Prior to this change the option had no effect because it was missing
from that file.

cmake: fix CURL_DISABLE_GETOPTIONS

- Add CURL_DISABLE_GETOPTIONS to curl_config.h.cmake.

Prior to this change the option had no effect because it was missing
from that file.

Closes https://github.com/curl/curl/pull/12091

show more ...

easy_lock: add a pthread_mutex_t fallback

This allows to keep the init threadsafe with gcc < 4.9.0 (no C11
atomics).

Closes https://github.com/curl/curl/pull/12090

CI: add autotools, out-of-tree, debug build to distro check job

Add a job that builds curl from a generated source tarball sample, with
autotools, out-of-tree, in debug mode.

Re

CI: add autotools, out-of-tree, debug build to distro check job

Add a job that builds curl from a generated source tarball sample, with
autotools, out-of-tree, in debug mode.

Ref: #12085
Closes #12088

show more ...

http: avoid Expect: 100-continue if Upgrade: is used

Reported-by: Daniel Jelinski
Fixes #12022
Closes #12062

docs: use SOURCE_DATE_EPOCH for generated manpages

This should make builds from Git reproducible.

Closes #12092

RELEASE-NOTES: synced

Bumped to 8.4.1

cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection

Fix `HAVE_H_ERRNO_ASSIGNABLE` to not run, only compile its test snippet,
aligning this with autotools. This fixes an error when doing
c

cmake: fix `HAVE_H_ERRNO_ASSIGNABLE` detection

Fix `HAVE_H_ERRNO_ASSIGNABLE` to not run, only compile its test snippet,
aligning this with autotools. This fixes an error when doing
cross-builds and also actually detects this feature. It affected systems
not allowlisted into this, e.g. SerenityOS.

We used this detection result to enable `HAVE_GETADDRINFO_THREADSAFE`.

Follow-up to 04a3a377d83fd72c4cf7a96c9cb6d44785e33264 #11979
Ref: #12095 (closed in favour of this patch)
Ref: #11964 (effort to sync cmake detections with autotools)

Reported-by: Kartatz on Github
Assisted-by: Kartatz on Github
Fixes #12093
Closes #12094

show more ...

build: add `src/.checksrc` to source tarball

Regression from e5bb88b8f824ed87620bd923552534c83c2a516e #11958

Bug: https://github.com/curl/curl/pull/11958#issuecomment-1757079071

build: add `src/.checksrc` to source tarball

Regression from e5bb88b8f824ed87620bd923552534c83c2a516e #11958

Bug: https://github.com/curl/curl/pull/11958#issuecomment-1757079071
Reported-by: Romain Geissler
Fixes #12084
Closes #12085

show more ...