Add Curl_quic_idle which is called when no HTTP level read or write is
performed. It is a good place to handle timer expiry for QUIC transport
(.e.g, retransmission).
Closes#8698
SecTrustEvaluateAsync() is defined in the macOS 10.7 SDK, but it
requires Grand Central Dispatch to be supported by the compiler, and
some third-party macOS compilers do not support Grand Central Dispatch.
SecTrustCopyPublicKey() is not present in macOS 10.6, so this shouldn't
adversely affect anything.
Fixes#8846
Reported-by: Egor Pugin
Closes#8854
Commit 46d45ea3a incorrectly hardcoded the User-Agent in the test
output file which breaks when curlver is updated. Shift to using
the %VERSION macro instead.
Closes: #8856
The support for compiling on Mac OS 9 hasn't been modified since 2001
and has no active maintainer or packager, so it's time to remove it as
it's incredibly unlikely to work. If a maintainer re-emerges it can be
resurrected from Git history.
Closes: #8836
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Accessing local variables outside of the scope is forbidden and
depending on the compiler can result in the value being
overwritten. Fixed by moving the pwbuf to be in scope.
Closes#8850
- bump actions/checkout from 2 to 3
- bump actions/upload-artifact from 1 to 3
- bump github/codeql-actions from 1 to 2
- use version tag for actions/checkout
Closes#8843
- Windows command prompt doesn't use literal quoting via single quotes.
- Windows command prompt inner double quotes are escaped with a
backslash.
- Windows powershell does use single quotes but curl is not a powershell
script so the arguments may not be passed on correctly.
- Windows powershell inner double quotes seems can be passed to curl if
the outer quotes are double quotes and an escape of backslash-backtick
is used.
Command prompt example:
~~~
getargs -v -d "\"a\""
argv[0]: getargs
argv[1]: -v
argv[2]: -d
argv[3]: "a"
~~~
Ref: https://github.com/curl/curl/issues/8818
Ref: https://gist.github.com/jay/19aba48653bd591cf4b90eb9249a302c
Reported-by: KotlinIsland@users.noreply.github.com
Closes https://github.com/curl/curl/pull/8823
Explicitly initialize gss_buffer_desc strings such that a call to
freeing resources will succeed even if no data has been allocated
to it.
Reported-by: Jay Satiro <raysatiro@yahoo.com>
In case gss_display_status() returns an error, avoid trying to add
it to the buffer as the message may well be a NULL pointer.
Originally this fix comes from a discussion in issue #8816.
Closes: #8832
Reviewed-by: Jay Satiro <raysatiro@yahoo.com>
This makes it more likely that the trailer is received
seperately from the last-chunk.
curl doesn't seem to care about this but it makes the tests
more useful when testing external proxies like Privoxy.
This allows to use write delays for large responses without
resulting in the test taking an unreasonable amount of time.
In many cases delaying writes by a whole second or more isn't
necessary for the desired effect.
Closes#8827
We need to check if the strchr() call returns NULL (due to missing
char) before we use the returned value in arithmetic. There is no
live bug here, but fixing it before it can become for hygiene.
Closes: #8814
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
We have lots of unchecked msnprintf calls, and this particular msnprintf
call isn't more interesting than the others, but this one yields a Coverity
warning so let's implicitly silence it. Going over the other invocations
is probably a worthwhile project, but for now let's keep the static
analyzers happy.
Closes: #8831
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
The check for a dot in the domain must not consider a single trailing
dot to be fine, as then TLD + trailing dot is fine and curl will accept
setting cookies for it.
CVE-2022-27779
Reported-by: Axel Chong
Bug: https://curl.se/docs/CVE-2022-27779.htmlCloses#8820
When --remove-on-error is used with --no-clobber, it might have an
updated file name to remove.
Bug: https://curl.se/docs/CVE-2022-27778.html
CVE-2022-27778
Reported-by: Harry Sintonen
Closes#8824
