libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION

The callback set by CURLOPT_SSH_HOSTKEYFUNCTION is called to check
wether or not the connection should continue.

The host key is passed

libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION

The callback set by CURLOPT_SSH_HOSTKEYFUNCTION is called to check
wether or not the connection should continue.

The host key is passed in argument with a custom handle for the
application.

It overrides CURLOPT_SSH_KNOWNHOSTS

Closes #7959

show more ...

docs/CONTRIBUTE.md: document the 'needs-votes' concept

A pull request sent to the project might get labeled `needs-votes` by a
project maintainer. This label means that in addition to me

docs/CONTRIBUTE.md: document the 'needs-votes' concept

A pull request sent to the project might get labeled `needs-votes` by a
project maintainer. This label means that in addition to meeting all
other checks and qualifications this pull request must also receive
proven support/thumbs-ups from more community members to be considered
for merging.

Closes #8910

show more ...

digest: tolerate missing "realm"

Server headers may not define "realm", avoid NULL pointer dereference
in such cases.

Closes #8912

digest: added detection of more syntax error in server headers

Invalid headers should not be processed otherwise they may create
a security risk.

Closes #8912

digest: unquote realm and nonce before processing

RFC 7616 (and 2617) requires values to be "unquoted" before used for
digest calculations. The only place where unquoting can be done

digest: unquote realm and nonce before processing

RFC 7616 (and 2617) requires values to be "unquoted" before used for
digest calculations. The only place where unquoting can be done
correctly is header parsing function (realm="DOMAIN\\host" and
realm=DOMAN\\host are different realms).

This commit adds unquoting (de-escaping) of all values during header
parsing and quoting of the values during header forming. This approach
should be most straightforward and easy to read/maintain as all values
are processed in the same way as required by RFC.

Closes #8912

show more ...

headers: handle unfold of space-cleansed headers

Detected by OSS-fuzz

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47767

Updated test 1274

Closes #89

headers: handle unfold of space-cleansed headers

Detected by OSS-fuzz

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47767

Updated test 1274

Closes #8947

show more ...

lib: make more protocol specific struct fields #ifdefed

... so that they don't take up space if the protocols are disabled in
the build.

Closes #8944

DISABLED: disable 1021 for hyper again

due to flakiness in the CI builds

urldata: store tcp_keepidle and tcp_keepintvl as ints

They can't be set larger than INT_MAX in the setsocket API calls.

Also document the max values in their respective man pages.

urldata: store tcp_keepidle and tcp_keepintvl as ints

They can't be set larger than INT_MAX in the setsocket API calls.

Also document the max values in their respective man pages.

Closes #8940

show more ...

urldata: reduce size of a few struct fields

When the values are never larger than 32 bit, ints are better than longs.

Closes #8940

urldata: remove three unused booleans from struct UserDefined

- is_fwrite_set
- free_referer
- strip_path_slash

Closes #8940

remote-name.d: mention --output-dir

plus add two see-alsos

Closes #8945

configure: skip libidn2 detection when winidn is used

Prior to this change --with-winidn could be overridden by libidn2
detection.

Closes https://github.com/curl/curl/pull/8934

CURLOPT_FILETIME.3: fix the protocols this works with

test681: verify --no-remote-name

Follow-up to 83ee5c428d960 (from #8931)

Closes #8942

ngtcp2: enable Linux GSO

Enable Linux GSO in ngtcp2 QUIC. In order to recover from the
EAGAIN/EWOULDBLOCK by sendmsg with multiple packets in one GSO write,
packet buffer is now hel

ngtcp2: enable Linux GSO

Enable Linux GSO in ngtcp2 QUIC. In order to recover from the
EAGAIN/EWOULDBLOCK by sendmsg with multiple packets in one GSO write,
packet buffer is now held by struct quicsocket. GSO write might fail in
runtime depending on NIC. Disable GSO if sendmsg returns EIO.

Closes #8909

show more ...

CURLOPT_PORT.3: We discourage using this option

Closes #8941

RELEASE-NOTES: synced

headers_push: error out if a folded header has no previous header

As that would indicate an illegal header. The fuzzer reached the assert
in unfold_value() proving that this case can hap

headers_push: error out if a folded header has no previous header

As that would indicate an illegal header. The fuzzer reached the assert
in unfold_value() proving that this case can happen.

Follow-up to c9b60f005358a364

Closes #8939

show more ...

curl: re-enable --no-remote-name

Closes #8931

test680: require 'http' since it uses such a URL

Follow-up to d1b376c03524

CURLOPT_NETRC.3: document the .netrc file format

test680: verify rejection of malformatted .netrc quoted password

test679: verify netrc quoted string

netrc: support quoted strings

The .netrc parser now accepts strings within double-quotes in order to
deal with for example passwords containing white space - which
previously was not

netrc: support quoted strings

The .netrc parser now accepts strings within double-quotes in order to
deal with for example passwords containing white space - which
previously was not possible.

A password that starts with a double-quote also ends with one, and
double-quotes themselves are escaped with backslashes, like \". It also
supports \n, \r and \t for newline, carriage return and tabs
respectively.

If the password does not start with a double quote, it will end at first
white space and no escaping is performed.

WARNING: this change is not entirely backwards compatible. If anyone
previously used a double-quote as the first letter of their password,
the parser will now get it differently compared to before. This is
highly unfortunate but hard to avoid.

Reported-by: ImpatientHippo on GitHub
Fixes #8908
Closes #8937

show more ...