SECURITY-PROCESS: tweak a little to match current practices

Closes #7713

http_proxy: fix the User-Agent inclusion in CONNECT

It should not refer to the uagent string that is allocated and created
for the end server http request, as that pointer may be cleared

http_proxy: fix the User-Agent inclusion in CONNECT

It should not refer to the uagent string that is allocated and created
for the end server http request, as that pointer may be cleared on
subsequent CONNECT requests.

Added test case 1184 to verify.

Reported-by: T200proX7 on github
Fixes #7705
Closes #7707

show more ...

Curl_hsts_loadcb: don't attempt to load if hsts wasn't inited

Reported-by: Jonathan Cardoso
Fixes #7710
Closes #7711

ngtcp2: fix build with ngtcp2 and nghttp3

ngtcp2_conn_client_new and nghttp3_conn_client_new are now macros.
Check the wrapped functions instead.

ngtcp2_stream_close callback no

ngtcp2: fix build with ngtcp2 and nghttp3

ngtcp2_conn_client_new and nghttp3_conn_client_new are now macros.
Check the wrapped functions instead.

ngtcp2_stream_close callback now takes flags parameter.

Closes #7709

show more ...

write-out.d: clarify size_download/upload

They show the number of "body" bytes transfered.
Fixes #7702
Closes #7706

http2: Curl_http2_setup needs to init stream data in all invokes

Thus function was written to avoid doing multiple connection data
initializations, which is fine, but since it also initi

http2: Curl_http2_setup needs to init stream data in all invokes

Thus function was written to avoid doing multiple connection data
initializations, which is fine, but since it also initiates stream
related data it is crucial that it doesn't skip those even if called
again for the same connection. Solved by moving the stream
initializations before the "doing-it-again" check.

Reported-by: Inho Oh
Fixes #7630
Closes #7692

show more ...

url: fix compiler warning in no-verbose builds

Follow-up from 2f0bb864c12

Closes #7700

non-ascii: fix build errors from strerror fix

Follow-up to 2f0bb864c12

Closes #7697

parse_args: redo the warnings for --remote-header-name combos

... to avoid the memory leak risk pointed out by scan-build.

Follow-up from 7a3e981781d6c18a

Closes #7698

ngtcp2: adapt to new size defintions upstream

Reviewed-by: Tatsuhiro Tsujikawa
Closes #7699

rustls: add strerror.h include

Follow-up to 2f0bb864c12

docs: the security list is reached at security at curl.se now

Also update the FAQ section a bit to encourage users to rather submit
security issues on hackerone than sending email.

docs: the security list is reached at security at curl.se now

Also update the FAQ section a bit to encourage users to rather submit
security issues on hackerone than sending email.

Closes #7689

show more ...

runtests: add option -u to error on server unexpectedly alive

Let's try to actually handle the server unexpectedly alive
case by first making them visible on CI builds as failures.

runtests: add option -u to error on server unexpectedly alive

Let's try to actually handle the server unexpectedly alive
case by first making them visible on CI builds as failures.

This is needed to detect issues with killing of the test
servers completely including nested process chains with
multiple PIDs per test server (including bash and perl).

On Windows/cygwin platforms this is especially helpful with
debugging PID mixups due to cygwin using its own PID space.

Reviewed-by: Daniel Stenberg
Closes #7180

show more ...

opts docs: unify phrasing in NAME header

- avoid writing "set ..." or "enable/disable ..." or "specify ..."
*All* options for curl_easy_setopt() are about setting or enabling
thi

opts docs: unify phrasing in NAME header

- avoid writing "set ..." or "enable/disable ..." or "specify ..."
*All* options for curl_easy_setopt() are about setting or enabling
things and most of the existing options didn't use that way of
description.

- start with lowercase letter, unless abbreviation. For consistency.

- Some additional touch-ups

Closes #7688

show more ...

strerror.h: remove the #include from files not using it

lib: don't use strerror()

We have and provide Curl_strerror() internally for a reason: strerror()
is not necessarily thread-safe so we should always try to avoid it.

Extended ch

lib: don't use strerror()

We have and provide Curl_strerror() internally for a reason: strerror()
is not necessarily thread-safe so we should always try to avoid it.

Extended checksrc to warn for this, but feature the check disabled by
default and only enable it in lib/

Closes #7685

show more ...

cirrus: Add FreeBSD 13.0 job and disable sanitizer build

As alluded to the in the now removed comment, a 13.0 image became
available and is now ready to be used.

The sanitizer b

cirrus: Add FreeBSD 13.0 job and disable sanitizer build

As alluded to the in the now removed comment, a 13.0 image became
available and is now ready to be used.

The sanitizer builds were running on the 12.1 image which since has
been removed from the config, leaving the builds not running at all.
When enabled it turns out that they don't actually work due to very
long timeouts in executing the tests, so keep the disabled for now
but a bit more controlled.

Closes #7592

show more ...

copyrights: update copyright year ranges

RELEASE-NOTES: synced

INTERNALS: c-ares has a new home: c-ares.org

docs: remove experimental mentions from HSTS and MQTT

Reported-by: Jonathan Cardoso
Bug: https://github.com/curl/curl/pull/6700#issuecomment-913792863
Closes #7681

curl: add warning for incompatible parameters usage

--continue-at - and --remote-header-name are known incompatible parameters

Closes #7674

examples/*hiperfifo.c: fix calloc arguments to match function proto

Closes #7678

INTERNALS: bump c-ares requirement to 1.16.0

Since ba904db0705c93 we use ares_getaddrinfo, added in c-ares 1.16.0

curl: stop retry if Retry-After: is longer than allowed

If Retry-After: specifies a period that is longer than what fits within
--retry-max-time, then stop retrying immediately.

curl: stop retry if Retry-After: is longer than allowed

If Retry-After: specifies a period that is longer than what fits within
--retry-max-time, then stop retrying immediately.

Added test 366 to verify.

Reported-by: Kari Pahula
Fixes #7675
Closes #7676

show more ...