They allow to override the hardcoded values for the `windres` and `strip`
tools, complementing the existing set of `CURL_{CC,AR,RANLIB}` variables.
`CURL_RC` comes handy when using LLVM tools with `CROSSPREFIX=llvm-` and
`CURL_CC=clang` set on current latest debian:unstable or earlier, where
`llvm-windres` is missing, and a `CURL_RC=<triplet>-windres` fixes it.
Hopefully this will be fixed in the llvm package. FWIW `llvm-windres`
does exist in Homebrew llvm, MSYS2 llvm and llvm-mingw.
Reviewed-by: Daniel Stenberg
Closes#9132
Regression since 9e5669f.
Make sure the "cleaning" of command line arguments is done on the
original argv[] pointers. As a bonus, it also exits better on out of
memory error.
Reported-by: Litter White
Fixes#9128Closes#9130
Makefile.m32's ngtcp2 has its two libs hardwired for OpenSSL.
Add `NGTCP2_LIBS` envvar to override them with a custom list,
making it possible to use BoringSSL, or any other backend.
Closes#9109
When building curl for target platform other than x64 and x86, it is now
possible to pass `ARCH=custom`, that will omit all hardcoded logic for
setting up CFLAGS/LDFLAGS/RCFLAGS for these platforms, and let these be
customized via `CURL_CFLAG_EXTRAS`, `CURL_LDFLAG_EXTRAS`, and a newly
added one for the resource compiler: `CURL_RCFLAG_EXTRAS`.
This makes it possible to use `makefile.m32` to build for ARM64 for
example.
Reviewed-by: Daniel Stenberg
Closes#9092
- Use the Windows API to seed the fallback random generator.
This ensures to always have a random seed, even when libcurl is built
with a vtls backend lacking a random generator API, such as rustls
(experimental), GSKit and certain mbedTLS builds, or, when libcurl is
built without a TLS backend. We reuse the Windows-specific random
function from the Schannel backend.
- Implement support for `BCryptGenRandom()` [1] on Windows, as a
replacement for the deprecated `CryptGenRandom()` [2] function.
It is used as the secure random generator for Schannel, and also to
provide entropy for libcurl's fallback random generator. The new
function is supported on Vista and newer via its `bcrypt.dll`. It is
used automatically when building for supported versions. It also works
in UWP apps (the old function did not).
- Clear entropy buffer before calling the Windows random generator.
This avoids using arbitrary application memory as entropy (with
`CryptGenRandom()`) and makes sure to return in a predictable state
when an API call fails.
[1] https://docs.microsoft.com/windows/win32/api/bcrypt/nf-bcrypt-bcryptgenrandom
[2] https://docs.microsoft.com/windows/win32/api/wincrypt/nf-wincrypt-cryptgenrandomCloses#9027
... as replacements for deprecated CURLOPT_PROTOCOLS and
CURLOPT_REDIR_PROTOCOLS as these new ones do not risk running into the
32 bit limit the old ones are facing.
CURLINFO_PROTCOOL is now deprecated.
The curl tool is updated to use the new options.
Added test 1597 to verify the libcurl protocol parser.
Closes#8992
Since this [1] commit in 2011, `_WIN32_WINNT` was set fixed to Windows
XP when the `-ipv6` option is selected. Maybe this was added to support
pre-XP Windows versions (?). These days libcurl builds fine for both XP
and post-XP versions with IPv6 support enabled. The relevance of pre-XP
version is also low by now. Other build methods also do not impose such
limitation for a similar configuration. So, drop this hard-wired
`_WIN32_WINNT` limit from `Makefile.m32`, thus building for the default
Windows version set by the compiler. This is Vista for recent MinGW
versions.
Old behaviour can be restored by setting this envvar:
export CURL_CFLAG_EXTRAS=-D_WIN32_WINNT=0x0501
[1] 98a61d8e2eCloses#9035
Referring to Daniel's article [1], making the init function thread-safe
was the last bit to make libcurl thread-safe as a whole. So the name of
the feature may as well be the more concise 'threadsafe', also telling
the story that libcurl is now fully thread-safe, not just its init
function. Chances are high that libcurl wants to remain so in the
future, so there is little likelihood of ever needing any other distinct
`threadsafe-<name>` feature flags.
For consistency we also shorten `CURL_VERSION_THREADSAFE_INIT` to
`CURL_VERSION_THREADSAFE`, update its description and reference libcurl's
thread safety documentation.
[1]: https://daniel.haxx.se/blog/2022/06/08/making-libcurl-init-more-thread-safe/
Reviewed-by: Daniel Stenberg
Reviewed-by: Jay Satiro
Closes#8989
Add licensing and copyright information for all files in this repository. This
either happens in the file itself as a comment header or in the file
`.reuse/dep5`.
This commit also adds a Github workflow to check pull requests and adapts
copyright.pl to the changes.
Closes#8869
This flag can be used to make sure that curl_global_init() is
thread-safe.
This can be useful for libraries that can't control what other
dependencies are doing with Curl.
Closes#8680
- Clamp --parallel-max to MAX_PARALLEL (300) instead of resetting to
default value.
Previously, --parallel-max 300 would use 300 concurrent transfers, but
--parallel-max 301 would unexpectedly use only 50. This change clamps
higher values to the maximum (ie --parallel-max 301 would use 300).
Closes https://github.com/curl/curl/pull/8930
Before this patch, it was only enabled for MSVC. This syncs this
configuration with libcurl.rc, which was already included with
every Windows compiler.
Closes#8918
In CMakeLists.txt there is an attempt to detect `stricmp()`, and in
certain cases, this attempt is the only successful one to detect a
case-insensitive comparison function. `HAVE_STRICMP` is defined as
a result, but this macro wasn't used anywhere in the source. This
patch makes use of it as an alternative when alpha-sorting the
`--version` feature list.
Reviewed-by: Daniel Stenberg
Closes#8916
- `-D_AMD64_` has not been necessary for mingw-w64 builds for a long time now.
- `-fno-strict-aliasing` is mentioned for Intel C compiler in autotools, and
I used this with VxWorks in another project, but otherwise this isn't
necessary anymore as a default. If a target still needs it, it can be
added with `CURL_CFLAG_EXTRAS=-fno-strict-aliasing`
- bump up default optimization level to `-O3` (from `-O2`), and also rearrange
option order so the default can now be overridden via
`CURL_CFLAG_EXTRAS`.
- delete `-g` (generate debug info) from `CFLAGS` and `-s` from `LDFLAGS`
(strip debug info). They were working against each other. Now, if someone
needs debug info, it can be enabled via `CURL_CFLAG_EXTRAS=-g`
Closes#8904
The support for compiling on Mac OS 9 hasn't been modified since 2001
and has no active maintainer or packager, so it's time to remove it as
it's incredibly unlikely to work. If a maintainer re-emerges it can be
resurrected from Git history.
Closes: #8836
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
When --remove-on-error is used with --no-clobber, it might have an
updated file name to remove.
Bug: https://curl.se/docs/CVE-2022-27778.html
CVE-2022-27778
Reported-by: Harry Sintonen
Closes#8824
param_place cannot be NULL here since we immediately efter this block
perform arithmetic on it (and use it in order to get here) so there is
little reason to check.
Closes: #8786
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
If the new filename cannot be generated due to memory pressure, free
the allocated aname on the way out to avoid a small leak.
Closes: #8770
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
When generating the new filename, make sure we aren't overflowing the
size_t limit when calculating the new length. This is mostly academic
but good code hygeine nonetheless.
Closes: #8771
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
In order to avoid the risk of it being used in an accidental trigraph in
the generated code.
Reported-by: Harry Sintonen
Bug: https://hackerone.com/reports/1548535Closes#8742
Also move timediff_t definitions from timeval.h to timediff.h and
then make timeval.h include the new standalone-capable timediff.h.
Reviewed-by: Jay Satiro
Reviewed-by: Daniel Stenberg
Supersedes #5888Closes#8595
This loop was using the number of bytes read from the file as condition
to keep reading.
From Linux's fread(3) man page:
> On success, fread() and fwrite() return the number of items read or
> written. This number equals the number of bytes transferred only when
> size is 1. If an error occurs, or the end of the file is reached, the
> return value is a short item count (or zero).
>
> The file position indicator for the stream is advanced by the number
> of bytes successfully read or written.
>
> fread() does not distinguish between end-of-file and error, and
> callers must use feof(3) and ferror(3) to determine which occurred.
This means that nread!=0 doesn't make much sense as an end condition for
the loop: nread==0 doesn't necessarily mean that EOF has been reached or
an error has occured (but that is usually the case) and nread!=0 doesn't
necessarily mean that EOF has not been reached or that no read errors
have occured. feof(3) and ferror(3) should be uses when using fread(3).
Currently curl has to performs an extra fread(3) call to get a return
value equal to 0 to stop looping.
This usually "works" (even though nread==0 shouldn't be interpreted as
EOF) if stdin is a pipe because EOF usually marks the "real" end of the
stream, so the extra fread(3) call will return immediately and the extra
read syscall won't be noticeable:
bash-5.1$ strace -e read curl -s -F file=@- 0x0.st <<< a 2>&1 |
> tail -n 5
read(0, "a\n", 4096) = 2
read(0, "", 4096) = 0
read(0, "", 4096) = 0
http://0x0.st/oRs.txt
+++ exited with 0 +++
bash-5.1$
But this doesn't work if curl is reading from stdin, stdin is a
terminal, and the EOF is being emulated using a shell with ^D. Two
consecutive ^D will be required in this case to actually make curl stop
reading:
bash-5.1$ curl -F file=@- 0x0.st
a
^D^D
http://0x0.st/oRs.txt
bash-5.1$
A possible workaround to this issue is to use a program that handles EOF
correctly to indirectly send data to curl's stdin:
bash-5.1$ cat - | curl -F file=@- 0x0.st
a
^D
http://0x0.st/oRs.txt
bash-5.1$
This patch makes curl handle EOF properly when using fread(3) in
file2memory() so that the workaround is not necessary.
Since curl was previously ignoring read errors caused by this fread(3),
ferror(3) is also used in the condition of the loop: read errors and EOF
will have the same meaning; this is done to somewhat preserve the old
behaviour instead of making the command fail when a read error occurs.
Closes#8701
As one implies PUT and the other POST, both cannot be used
simultaneously.
Add test 378 to verify.
Reported-by: Boris Verkhovskiy
Fixes#8704Closes#8715
Move checksrc.pl, firefox-db2pem.sh and mk-ca-bundle.pl since they don't
particularly belong in lib/
Also created an EXTRA_DIST= in scripts/Makefile.am instead of specifying
those files in the root Makefile.am
Closes#8625
On Windows data can be lost in buffers in case of abnormal program
termination, especially in process chains as seen due to flaky tests.
Therefore flushing all buffers manually should avoid this data loss.
In the curl tool we play the safe game by only flushing write buffers,
but in the testsuite where we manage all buffers, we flush everything.
This should drastically reduce Windows CI and testsuite flakiness.
Reviewed-by: Daniel Stenberg
Supersedes #7833 and #6064Closes#8516
This turns even relative URLs into clickable hyperlinks in a supported
terminal when --styled-output is enabled. Many terminals already turn
URLs into clickable links but there is not enough information in a
relative URL to do this automatically otherwise.
If a transfer returns an error, using this option makes curl remove the
leftover downloded (partial) local file before exiting.
Added test 376 to verify
Closes#8503
