single_transfer: use the libcurl URL parser when appending query parts

Instead of doing "manual" error-prone parsing in another place.

Used when --data contents is added to the URL

single_transfer: use the libcurl URL parser when appending query parts

Instead of doing "manual" error-prone parsing in another place.

Used when --data contents is added to the URL query when -G is provided.

Closes #9681

show more ...

ws: fix buffer pointer use in the callback loop

Closes #9678

curl-wolfssl.m4: error out if wolfSSL is not usable

When I explicitly declare, that I would like to have curl built with
wolfSSL support using `--with-wolfssl` configure option, then I w

curl-wolfssl.m4: error out if wolfSSL is not usable

When I explicitly declare, that I would like to have curl built with
wolfSSL support using `--with-wolfssl` configure option, then I would
expect, that either I endup with curl having that support, for example
in form of https support or it wouldn't be available at all.

Downstream projects like for example OpenWrt build curl wolfSSL variant
with `--with-wolfssl` already, but in certain corner cases it does fail:

configure:25299: checking for wolfSSL_Init in -lwolfssl
configure:25321: x86_64-openwrt-linux-musl-gcc -o conftest [snip]
In file included from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/dsa.h:33,
from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/asn_public.h:35,
from target-x86_64_musl/usr/include/wolfssl/ssl.h:35,
from conftest.c:47:
target-x86_64_musl/usr/include/wolfssl/wolfcrypt/integer.h:37:14: fatal error: wolfssl/wolfcrypt/sp_int.h: No such file or directory
#include <wolfssl/wolfcrypt/sp_int.h>
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.

and in the end thus produces curl without https support:

curl: (1) Protocol "https" not supported or disabled in libcurl

So fix it, by making the working wolfSSL mandatory and error out in
configure step when that's not the case:

checking for wolfSSL_Init in -lwolfssl... no
configure: error: --with-wolfssl but wolfSSL was not found or doesn't work

References: https://github.com/openwrt/packages/issues/19005
References: https://github.com/openwrt/packages/issues/19547
Signed-off-by: Petr Štetiar <ynezz@true.cz>

Closes #9682

show more ...

tool_getparam: pass in the snprintf("%.*s") string length as 'int'

Reported by Coverity CID 1515928

Closes #9679

ws: minor fixes for web sockets without the CONNECT_ONLY flag

- Fixed an issue where is_in_callback was getting cleared when using web
sockets with debug logging enabled
- Ensure t

ws: minor fixes for web sockets without the CONNECT_ONLY flag

- Fixed an issue where is_in_callback was getting cleared when using web
sockets with debug logging enabled
- Ensure the handle is is_in_callback when calling out to fwrite_func
- Change the write vs. send_data decision to whether or not the handle
is in CONNECT_ONLY mode.
- Account for buflen not including the header length in curl_ws_send

Closes #9665

show more ...

CI/cirrus: merge existing macOS jobs into a job matrix

Ref: #9627
Reviewed-by: Philip H.

Closes #9672

strcase: add and use Curl_timestrcmp

This is a strcmp() alternative function for comparing "secrets",
designed to take the same time no matter the content to not leak
match/non-match

strcase: add and use Curl_timestrcmp

This is a strcmp() alternative function for comparing "secrets",
designed to take the same time no matter the content to not leak
match/non-match info to observers based on how fast it is.

The time this function takes is only a function of the shortest input
string.

Reported-by: Trail of Bits

Closes #9658

show more ...

tool_getparam: split out data_urlencode() into its own function

Closes #9673

connect: fix Curl_updateconninfo for TRNSPRT_UNIX

Reported-by: Vasiliy Ulyanov
Fixes #9664
Closes #9670

ws: fix Coverity complaints

Coverity pointed out several flaws where variables remained
uninitialized after forks.

Follow-up to e3f335148adc6742728f

Closes #9666

CI/GHA: merge msh3 and openssl3 builds into linux workflow

Continue work on merging all Linux workflows into one file.

Follow up to #9501
Closes #9646

curl_ws_send.3: call the argument 'fragsize'

Since WebSocket works with "fragments" not "frames"

Closes #9668

easy: avoid Intel error #2312: pointer cast involving 64-bit pointed-to type

Follow-up to e3f335148adc6742728ff8

Closes #9669

tool_main: exit at once if out of file descriptors

If the main_checkfds function cannot create new file descriptors in an
attempt to detect of stdin, stdout or stderr are closed.

tool_main: exit at once if out of file descriptors

If the main_checkfds function cannot create new file descriptors in an
attempt to detect of stdin, stdout or stderr are closed.

Also changed the check to use fcntl() to check if the descriptors are
open, which avoids superfluously calling pipe() if they all already are.

Follow-up to facfa19cdd4d0094

Reported-by: Trail of Bits

Closes #9663

show more ...

websockets: remodeled API to support 63 bit frame sizes

curl_ws_recv() now receives data to fill up the provided buffer, but can
return a partial fragment. The function now also get a po

websockets: remodeled API to support 63 bit frame sizes

curl_ws_recv() now receives data to fill up the provided buffer, but can
return a partial fragment. The function now also get a pointer to a
curl_ws_frame struct with metadata that also mentions the offset and
total size of the fragment (of which you might be receiving a smaller
piece). This way, large incoming fragments will be "streamed" to the
application. When the curl_ws_frame struct field 'bytesleft' is 0, the
final fragment piece has been delivered.

curl_ws_recv() was also adjusted to work with a buffer size smaller than
the fragment size. (Possibly needless to say as the fragment size can
now be 63 bit large).

curl_ws_send() now supports sending a piece of a fragment, in a
streaming manner, in addition to sending the entire fragment in a single
call if it is small enough. To send a huge fragment, curl_ws_send() can
be used to send it in many small calls by first telling libcurl about
the total expected fragment size, and then send the payload in N number
of separate invokes and libcurl will stream those over the wire.

The struct curl_ws_meta() returns is now called 'curl_ws_frame' and it
has been extended with two new fields: *offset* and *bytesleft*. To help
describe the passed on data chunk when a fragment is delivered in many
smaller pieces.

The documentation has been updated accordingly.

Closes #9636

show more ...

docs/examples: avoid deprecated options in examples where possible

Example programs targeting a deprecated feature/option are commented with
a warning about it.
Other examples are ad

docs/examples: avoid deprecated options in examples where possible

Example programs targeting a deprecated feature/option are commented with
a warning about it.
Other examples are adapted to not use deprecated options.

Closes #9661

show more ...

cmake: fix enabling websocket support

Follow-up from 664249d095275ec532f55dd1752d80c8c1093a77

Closes #9660

tidy-up: delete parallel/unused feature flags

Detecting headers and lib separately makes sense when headers come in
variations or with extra ones, but this wasn't the case here. These we

tidy-up: delete parallel/unused feature flags

Detecting headers and lib separately makes sense when headers come in
variations or with extra ones, but this wasn't the case here. These were
duplicate/parallel macros that we had to keep in sync with each other
for a working build. This patch leaves a single macro for each of these
dependencies:

- Rely on `HAVE_LIBZ`, delete parallel `HAVE_ZLIB_H`.

Also delete CMake logic making sure these two were in sync, along with
a toggle to turn off that logic, called `CURL_SPECIAL_LIBZ`.

Also delete stray `HAVE_ZLIB` defines.

There is also a `USE_ZLIB` variant in `lib/config-dos.h`. This patch
retains it for compatibility and deprecates it.

- Rely on `USE_LIBSSH2`, delete parallel `HAVE_LIBSSH2_H`.

Also delete `LIBSSH2_WIN32`, `LIBSSH2_LIBRARY` from
`winbuild/MakefileBuild.vc`, these have a role when building libssh2
itself. And `CURL_USE_LIBSSH`, which had no use at all.

Also delete stray `HAVE_LIBSSH2` defines.

- Rely on `USE_LIBSSH`, delete parallel `HAVE_LIBSSH_LIBSSH_H`.

Also delete `LIBSSH_WIN32`, `LIBSSH_LIBRARY` and `HAVE_LIBSSH` from
`winbuild/MakefileBuild.vc`, these were the result of copy-pasting the
libssh2 line, and were not having any use.

- Delete unused `HAVE_LIBPSL_H` and `HAVE_LIBPSL`.

Reviewed-by: Daniel Stenberg

Closes #9652

show more ...

netrc: compare user name case sensitively

User name comparisions in netrc need to match the case.

Closes #9657

CURLOPT_COOKIEFILE: insist on "" for enable-without-file

The former way that also suggested using a non-existing file to just
enable the cookie engine could lead to developers maybe a bi

CURLOPT_COOKIEFILE: insist on "" for enable-without-file

The former way that also suggested using a non-existing file to just
enable the cookie engine could lead to developers maybe a bit carelessly
guessing a file name that will not exist, and then in a future due to
circumstances, such a file could be made to exist and then accidentally
libcurl would read cookies not actually meant to.

Reported-by: Trail of bits

Closes #9654

show more ...

tests/Makefile: remove run time stats from ci-test

The ci-test is the normal makefile target invoked in CI jobs. This has
been using the -r option to runtests.pl since a long time, but I

tests/Makefile: remove run time stats from ci-test

The ci-test is the normal makefile target invoked in CI jobs. This has
been using the -r option to runtests.pl since a long time, but I find
that it mostly just adds many lines to the test output report without
anyone caring much about those stats.

Remove it.

Closes #9656

show more ...

tool: reorganize function c_escape around a dynbuf

This is a bit shorter and a lot safer.

Substrings of unescaped characters are added by a single call to reduce
overhead.

tool: reorganize function c_escape around a dynbuf

This is a bit shorter and a lot safer.

Substrings of unescaped characters are added by a single call to reduce
overhead.

Extend test 1465 to handle more kind of escapes.

Closes #9653

show more ...

CURLOPT_HTTPPOST.3: bolden the deprecation notice

Ref: https://github.com/curl/curl/pull/9621

Closes https://github.com/curl/curl/pull/9637

misc: fix spelling in docs and comments

also: remove outdated sentence

Closes #9644

tool: avoid generating ambiguous escaped characters in --libcurl

C string hexadecimal-escaped characters may have more than 2 digits.
This results in a wrong C compiler interpretation of

tool: avoid generating ambiguous escaped characters in --libcurl

C string hexadecimal-escaped characters may have more than 2 digits.
This results in a wrong C compiler interpretation of a 2-digit escaped
character when followed by an hex digit character.

The solution retained here is to represent such characters as 3-digit
octal escapes.

Adjust and extend test 1465 for this case.

Closes #9643

show more ...