Makes it report "Invalid response header" instead of the slightly odd "A
libcurl function was given a bad argument".
Add test 749 and 750 for more CONNECT response testing.
Reported-by: Int64x86 on github
Fixes#17330Closes#17336
- make the scanner not whitelist anything for test cases making
everything non-ascii forced to be hex encoded
- update all tests using non-ascii bytes to use %hex[] sequences
Closes#17331
Further untangle the test server code from curl code. While the string
comparison functions are available in the libcurl API, the tests servers
don't link with libcurl. Use native functions instead.
Closes#17328
Exclude test data files (4 of them) based on existing feature tags:
`codeset-utf8` and `Unicode`.
Add the new keyword `non-ascii` to mark remaining exceptions (9 files).
Follow-up to 838dc53bb7#17247Closes#17329
Since the test servers are not built with libcurl the *printf code
needed to get built separately, and they are not in the curlx
collection.
snprintf() is provided in all modern systems these days.
Move curlx functions from lib/strerror.c to lib/curlx/winapi.c
Assisted-by: Viktor Szakats
Closes#17294
When cancelling a threaded resolve and the thread is
still running, detach from it under the mutex lock.
Otherwise, the detach might happen after the thread finished
and access already freed memory.
Fixes#17256
Reported-by: Mathieu Garaud
Closes#17320
The offical Firefox source code has moved to GitHub:
https://github.com/mozilla-firefox/firefox
This change adjusts to the new URLs. The old branches nss and central
are not provided so they are removed and the new 'autoland' is added.
Closes#17321
- Clarify that the ssl_version in MultiSSL builds contains all SSL
backend names with the inactive backend names in parentheses.
Closes https://github.com/curl/curl/pull/17308
- add more unusual input cases
- add a valid non-http protocol
- fix tests so an input that should be stripped but isn't is a failure
- fix detection of when stripcredentials() would be available to test
- avoid using a NULL pointer
Closes#17304
Drop the interim macro `PRESERVE_WINDOWS_ERROR_CODE` and always preserve
error code for `_WIN32`. To make sure this is always done in
`curlx_winapi_strerror()`.
Follow-up to c74d3e10d2#17299Closes#17302
It is not provided as a curlx function so should not be used outside of
libcurl.
I strongly suspect that no system we build the test suite on lack strdup
so this will not cause any harm.
The private version was added in b0936b8007 for Ultrix.
Closes#17297
It was not a function properly exposed in the curlx set. SMB cannot
possibly need to send a real pid, now sends a made up number.
The only real users of this function are test servers, so move the logic
over there.
Closes#17298
Tests with old cmake are slow. (no Ninja, no unity, and running slower
than recent versions.)
It also revealed that 3.7.2 2017-01-13 is too old to consume curl via
`find_package()` due to:
```
CMake Error at bld-curl/_pkg/lib/cmake/CURL/CURLConfig.cmake:69 (add_library):
add_library cannot create ALIAS target "CURL::libcurl" because target
"CURL::libcurl_shared" is IMPORTED.
Call Stack (most recent call first):
CMakeLists.txt:48 (find_package)
CMake Error at bld-curl/_pkg/lib/cmake/CURL/CURLConfig.cmake:69 (add_library):
add_library cannot create ALIAS target "CURL::libcurl" because target
"CURL::libcurl_shared" is IMPORTED.
Call Stack (most recent call first):
CMakeLists.txt:49 (find_package)
```
The mitigation for this issue requires 3.11.
Also:
- rename a few existing envs to use the `TEST_` prefix.
- make the `find_package` test provider stage verbose.
- fix issue when consuming with cmake 3.7.2 (all platforms):
```
CMake Error at /home/runner/cmake-3.7.2-Linux-x86_64/share/cmake-3.7/Modules/CMakeFindDependencyMacro.cmake:25 (message):
Invalid arguments to find_dependency. VERSION is empty
Call Stack (most recent call first):
bld-curl/_pkg/lib/cmake/CURL/CURLConfig.cmake:52 (find_dependency)
CMakeLists.txt:48 (find_package)
```
Ref: https://github.com/curl/curl/actions/runs/14906066962/job/41868621979?pr=17293#step:9:1199Closes#17293
The limit is 5000 headers in a single transfer. To avoid problems caused
by mistakes or malice.
Add test 747 to verify
Reported-by: wolfsage on hackerone
Closes#17281
The pedantic level is experimental. If it causes issues, we may just
disable it alongside the ignore comments.
Also:
- silence error:
```
INFO audit: zizmor: completed label.yml
error[dangerous-triggers]: use of fundamentally insecure workflow trigger
--> label.yml:13:1
|
13 | 'on': [pull_request_target]
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^ pull_request_target is almost always used insecurely
|
= note: audit confidence -> Medium
```
- fix pedantic warning:
```
INFO audit: zizmor: completed label.yml
warning[excessive-permissions]: overly broad permissions
--> label.yml:1:1
... |
24 | | with:
25 | | repo-token: '${{ secrets.GITHUB_TOKEN }}'
| |____________________________________________________- default permissions used due to no permissions: block
|
= note: audit confidence -> Medium
```
- silence `template-injection` false positives like:
```
- note: ${{ matrix.build.torture && 'test-torture' || 'test-ci' }} may expand into attacker-controllable code
- note: ${{ contains(matrix.build.install_steps, 'pytest') && 'caddy httpd vsftpd' || '' }} may expand into attacker-controllable code
```
It doesn't seem like these could be controlled by an attacker.
Let me know if I'm missing something.
Closes#17278
