- If the UTF-8 to UTF-16 conversion fails in Windows Unicode builds then
no longer fall back to assuming the string is in a local encoding.
Background:
Some functions in Windows Unicode builds must convert UTF-8 to UTF-16 to
pass to the Windows CRT API wide-character functions since in Windows
UTF-8 is not a valid locale (or at least 99% of the time right now).
Prior to this change if the Unicode encoding conversion failed then
libcurl would assume, for backwards compatibility with applications that
may have written their code for non-Unicode builds, attempt to convert
the string from local encoding to UTF-16.
That type of "best effort" could theoretically cause some type of
security or other problem if a string that was locally encoded was also
valid UTF-8, and therefore an unexpected UTF-8 to UTF-16 conversion
could occur.
Ref: https://github.com/curl/curl/pull/7246
Closes https://github.com/curl/curl/pull/7257
Introducing a 'isproxy' argument to the connect function so that it
knows wether to store the time stamp or not.
Reported-by: Yongkang Huang
Fixes#7274Closes#7274
Unicode Windows builds use UTF-8 strings internally in libcurl,
so make sure to call the UTF-8 flavour of the libidn2 API. Also
document that Windows builds with libidn2 and UNICODE do expect
CURLOPT_URL as an UTF-8 string.
Reported-by: dEajL3kA on github
Assisted-by: Jay Satiro
Reviewed-by: Marcel Raad
Closes#7246Fixes#7228
They were never officially allowed and slipped in only due to sloppy
parsing. Spaces (ascii 32) should be correctly encoded (to %20) before
being part of a URL.
The new flag bit CURLU_ALLOW_SPACE when a full URL is set, makes libcurl
allow spaces.
Updated test 1560 to verify.
Closes#7073
For the commandline tool, we expect to be passed
SSL_CONN_CONFIG(CAfile); for library use, the use should pass a set of
trusted roots (like in other TLS backends).
This also removes a dependency on Security.framework when building on
macOS.
Closes#7250
scan-build-6 otherwise warns, saying: warning: The left operand of '>='
is a garbage value otherwise, which is false.
Later scan-builds don't claim this on the same code.
Closes#7248
When a connection is disassociated from a transfer, the Session ID entry
should remain.
Regression since 7f4a9a9 (shipped in libcurl 7.77.0)
Reported-by: Gergely Nagy
Reported-by: Paul Groke
Fixes#7222Closes#7230
FD_SETSIZE is irrelevant when using poll. So ensuring that the file
descriptor is smaller than FD_SETSIZE in VALID_SOCK, can cause
multi_wait to ignore perfectly valid file descriptors and simply wait
for 1s to avoid hammering the CPU in a busy loop.
Fixes#7240Closes#7241
The latest GnuTLS-3.7.2 implements disable switch for TLSv1.3 compatible
mode for middle box but it is enabled by default, which is unnecessary
for QUIC.
Fixes#6896Closes#7202
Removing expired cookies needs to be a fast operation since we want to
be able to perform it often and speculatively. By tracking the timestamp
of the next known expiration we can exit early in case the timestamp is
in the future.
Closes: #7172
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Trying dual-stack on some embedded platform, I noticed that quite
frequently (20%) libCurl starts from IPv4 regardless the Happy Eyeballs
timeout value. After debugging this issue, I noticed that this happens
if c-ares resolver response for IPv6 family comes before IPv4 (which was
randomly happening in my tests).
In such cases, because libCurl puts the last resolver response on top of
the address list, when IPv4 resolver response comes after IPv6 one - the
IPv4 family starts the connection phase instead of IPv6 family.
The solution for this issue is to always put IPv6 addresses on top of
the address list, regardless the order of resolver responses.
Bug: https://curl.se/mail/lib-2021-06/0003.htmlCloses#7188
Commit 1c1d9f1aff removed the last use
for the inet_pton.h headerfile, this removes the inclusion of the
header.
Closes: #7182
Reviewed-by: Daniel Stenberg <daniel@haxx.se>
Jay Satiro