headers: make curl_easy_header and nextheader return different buffers

By letting curl_easy_header() and curl_easy_nextheader() store the
header data in their own struct storage when the

headers: make curl_easy_header and nextheader return different buffers

By letting curl_easy_header() and curl_easy_nextheader() store the
header data in their own struct storage when they return a pointer to
it, it makes it possible for applications to use them both in a loop.
Like the curl tool does.

Reported-by: Boris Okunskiy
Fixes #10704
Closes #10707

show more ...

urlapi: take const args in _dup and _get functions

Closes #10708

urlapi: avoid mutating internals in getter routine

This was not intended.

Closes #10708

urlapi: '%' is illegal in host names

Update test 1560 to verify

Ref: #10708
Closes #10711

ftp: make the 'ftpauth' a more normal 'char *'-array

Closes #10703

doc: fix compiler warning in libcurl.m4

Current test for curl_free() may produce warnings with strict compiler
flags or even with default compiler flags with upcoming versions.
These

doc: fix compiler warning in libcurl.m4

Current test for curl_free() may produce warnings with strict compiler
flags or even with default compiler flags with upcoming versions.
These warning could turned into errors by -Werror or similar flags.
Such warnings/errors are avoided by this patch.

Closes #10710

show more ...

misc: fix typos

Closes #10706

ftp: active mode with SSL, add the damn filter

- since 7.87.0 we lost adding the SSL filter for an active
FTP connection that uses SSL. This leads to hangers and timeouts
as repo

ftp: active mode with SSL, add the damn filter

- since 7.87.0 we lost adding the SSL filter for an active
FTP connection that uses SSL. This leads to hangers and timeouts
as reported in #10666.

Reported-by: SandakovMM on github
Fixes #10666
Closes #10669

show more ...

docs: extend the URL API descriptions

Closes #10701

url: fix logic in connection reuse to deny reuse on "unclean" connections

- add parameter to `conn_is_alive()` cfilter method that returns
if there is input data waiting on the connect

url: fix logic in connection reuse to deny reuse on "unclean" connections

- add parameter to `conn_is_alive()` cfilter method that returns
if there is input data waiting on the connection
- refrain from re-using connnection from the cache that have
input pending
- adapt http/2 and http/3 alive checks to digest pending input
to check the connection state
- remove check_cxn method from openssl as that was just doing
what the socket filter now does.
- add tests for connection reuse with special server configs

Closes #10690

show more ...

x509asn1: use plain %x, not %lx, when the arg is an int

Pointed out by Coverity.

Closes #10689

http2: fix handling of RST and GOAWAY to recognize partial transfers

- a reset transfer (HTTP/2 RST) did not always lead to the proper
error message on receiving its response, leading

http2: fix handling of RST and GOAWAY to recognize partial transfers

- a reset transfer (HTTP/2 RST) did not always lead to the proper
error message on receiving its response, leading to wrong reports
of a successful transfer
- test_05_02 was able to trigger this condition with increased transfer
count. The simulated response errors did not carry a 'Content-Length'
so only proper RST handling could detect the abort
- When doing such transfers in parallel, a connection could enter the
state where
a) it had been closed (GOAWAY received)
b) the RST had not been "seen" for the transfer yet
or c) the GOAWAY announced an error and the last successful
stream id was not checked against ongoing transfers

Closes #10693

show more ...

tests: use dynamic ports numbers in pytest suite

- necessary ports are bound at start of test suite and then
given to server fixtures for use.
- this make parallel use of pytest (i

tests: use dynamic ports numbers in pytest suite

- necessary ports are bound at start of test suite and then
given to server fixtures for use.
- this make parallel use of pytest (in separate directories),
practically safe for use as OS tend to not reuse such port numbers
for a while

Closes #10692

show more ...

connect: fix time_connect and time_appconnect timer statistics

- time_connect was not updated when the overall connection failed,
e.g. when SSL verification was unsuccessful, refs #106

connect: fix time_connect and time_appconnect timer statistics

- time_connect was not updated when the overall connection failed,
e.g. when SSL verification was unsuccessful, refs #10670
- rework gather those values to interrogate involved filters,
also from all eyeballing attempts, to report the maximum of
those values.
- added 3 test cases in test_06 to check reported values on
successful, partially failed and totally failed connections.

Reported-by: Master Inspire
Fixes #10670
Closes #10671

show more ...

test1905: update output cookie order

After the #10685 update

test420: verify expiring cookies

Cookies that are loaded fine from a jar but then are expired in headers.

cookie: don't load cookies again when flushing

Reported-by: Sergio Mijatovic
Fixes #10677
Closes #10685

RELEASE-NOTES: synced

docs: note '--data-urlencode' option

Closes #10687

DEPRECATE: the original legacy mingw version 1

Remove completely in September 2023

Closes #10667

rand: use arc4random as fallback when available

Normally curl uses cryptographically strong random provided by the
selected SSL backend. If compiled without SSL support, a naive built-in

rand: use arc4random as fallback when available

Normally curl uses cryptographically strong random provided by the
selected SSL backend. If compiled without SSL support, a naive built-in
function was used instead.

Generally this was okay, but it will result in some downsides for non-
SSL builds, such as predictable temporary file names.

This change ensures that arc4random will be used instead, if available.

Closes #10672

show more ...

tool: dump headers even if file is write-only

The fixes in #10079 brought a (seemingly unrelated) change of open mode
from `wb`/`ab` to `wb+`/`ab+` for the headerfile. This makes it no

tool: dump headers even if file is write-only

The fixes in #10079 brought a (seemingly unrelated) change of open mode
from `wb`/`ab` to `wb+`/`ab+` for the headerfile. This makes it no
longer possible to write the header file to e.g. a pipe, like:

curl -D >(grep ...) file:///dev/null

Which presently results in `Warning: Failed to open /dev/fd/63`

See #10079
Closes #10675

show more ...

tests: fix gnutls-serv check

- If gnutls-serv doesn't exist then don't try to execute it.

Follow-up to 2fdc1d81.

Closes https://github.com/curl/curl/pull/10688

lib1560: fix enumerated type mixed with another type

Follow-up to c84c0f9aa3bb006

Closes #10684

cmake: fix enabling LDAPS on Windows

Before this patch, enabling LDAPS required a manual C flag:
https://github.com/curl/curl-for-win/blob/c1cfc31cfc04f24f7a4f946564d6f0e1b4d7dd36/curl-c

cmake: fix enabling LDAPS on Windows

Before this patch, enabling LDAPS required a manual C flag:
https://github.com/curl/curl-for-win/blob/c1cfc31cfc04f24f7a4f946564d6f0e1b4d7dd36/curl-cmake.sh#L105

Fix this and enable LDAPS automatically when using `wldap32` (and
when not explicitly disabled). This matches autotools and `Makefile.mk`
behavior. Also remove issue from KNOWN_BUGS.

Add workaround for MSVS 2010 warning triggered by LDAPS now enabled
in more CI tests:
`ldap.c(360): warning C4306: 'type cast' : conversion from 'int' to 'void *' of greater size`
Ref: https://ci.appveyor.com/project/curlorg/curl/builds/46408284/job/v8mwl9yfbmoeqwlr#L312

Reported-by: JackBoosY on github
Reviewed-by: Jay Satiro
Reviewed-by: Marcel Raad
Fixes #6284
Closes #10674

show more ...