- It is slower and uses more memory than the alternatives and is only
experimental in curl.
- We disable a few tests for OpenSSL-QUIC because of flakiness
- It gets little attention from OpenSSL and we have no expectation of the
major flaws getting corrected anytime soon.
- No one has spoken up for keeping it
- curl users building with vanilla OpenSSL can still use QUIC through the
means of ngtcp2
Closes#20226
When a download size is known and rate limiting is in effect, adjust the
duration of each measurement step and its rate for maximum precision.
Since it is unpredictable how long the last bytes of a download will
take, download speed can be thrown off if the "last bytes" are a
significant amount of the total download. Make the "last bytes" small in
comparision to the rest and "stretch" the rate limit intervals to
accommodate the difference.
Fix ngtcp2 receive data acknowldgements to be based on a local window
size tracking. This allows window updates controlled by rate limits.
Fix ratelimit wait time calculation to accomodate negative tokens.
h3 rate limit, update timeers
Make download rate limits work correctly in ngtcp2. Fix multi handling
of rate limits to set a timer for when limits will update again.
Without running the transfer on limit updates, protocols like h2/h3 may
stall if the server does not send due to stream windows being too small.
scorecard: measure download speedlimits
When running scorecard with --limit-rate=n, show the reported download
speed averages plus percentage deviation from the limit.
Closes#20228
- The 'uri' component needs to be escaped as well
- Rewrote the quote function to use dynbuf
- Build the digest at least partly with dynbuf
- Use goto as a general error mechanism
- Make test 64 use a double quote in the URL
Closes#20295
- `stdlib.h` and `string.h` is included via `curl_setup_once.h`,
allowing to drop from `tests/server` sources and `tool_doswin.c`.
- `stdlib.h` is also included via `setup-vms.h` (earlier than above),
allowing to drop it from `curl_addrinfo.h` on VMS.
Closes#20303
- update `ruff` from 0.14.10 to 0.14.11
- update `filelock` from 3.20.1 to 3.20.3 (CVE-2026-22701) (used in pytests)
- update `psutil` from 7.2.0 to 7.2.1
Closes#20300
To simplify the directory layout.
- OS400 and vms support move from `packages` to `projects`.
- Windows README and `generate.bat` files move from `projects`
to `projects/Windows`.
Closes#20271
This makes the easy handle 432 bytes smaller (totally 5352 bytes on my
rather maximized Linux 64 bit build). The 440 byte mimepost struct is
now allocated only when needed.
Closes#20260
Since the date format is fixed there is no need to accept more data.
Update test355 to verify reject of too long date in alt-svc file
This test case was originally supposed to verify alt-svc loading from a
file but never did because it was done incorrectly.
Now it verifies that a too long date in the input file makes curl
disregard the entry.
Closes#20259
Since the Lazy Lucas did not manage to get the fix merged in 0.24.7,
increase the pytest version check number in the hope that it will happen
in the next release.
Closes#20229
Avoid using PRIu32 and PRId32 in product source code. We don't need it.
It reduces readability. It is also inconsistent since unsigned int has
the same size and does not require the define.
DJGPP warns about using %u for uint32_t by default because it seems to
typedef it to unsigned long instead of unsigned int. Which even that is
annoying since long and int are both 32 bit on this platform.
We use our own *printf() implementation and we know this is safe.
This work-around defines uint32_t for DJGPP into unsigned int to avoid
the warnings and thus the need to use PRIu32 and PRId32.
Closes#20215
In an attempt to make sure that setting it again does not leak memory.
The second string is set to `""`, which is done so that this now finds
the problem reported in #20179.
Ref: #20179Closes#20181
- Each time field is now 7 characters wide, so that the total width
never exceeds 79 columns so that it works correctly also in Windows
terminals. The title lines are adjusted accordingly.
This is accomplished by using h:mm:ss style up to 10 hours, and for
longer periods switch to "nnX nnY" style output. For hours, days,
months and years.
For less than one hour, the hour field is now dropped.
When no time info is provided, the field is now space-only. No more
`-:--:--`.
Also fixed the output for really long times which previously was
completely broken. The largest time now shows as ">99999y". (Becase
I can't figure out a better way).
- For sizes, the widths are now properly fixed to 6 characters. When
displaying a unit with less than 3 digits, it shows two decimal
precision like "16777215 => 15.99M" and one decmal otherwise: "262143
=> 255.9k"
Also fixes the decimal math. 131071 is 127.9k, which it previously did
not show.
- The time and size field outputs are now properly verified in test
1636.
Fixes#20122Closes#20173
fixup use only space when no time exists
Drop the hour from the display when zero
A too long name is likely to cause a problem later anyway and get
reported there. We don't enforce file name lengths for any other
systems.
Assisted-by: Jay Satiro
Assisted-by: Viktor Szakats
Closes#20143
Time output:
- was broken for really large times
- now uses spaces instead of --:--:--
- >99999y is now the largest shown time
- show HH:MM:SS as long as hours are fewer than 100
Size:
- made the decimal output always only use a single decimal
Test:
- Add test 1622 to verify these functions
Closes#20177
When checking the reported times of a transfer, do not exptect
the 'queue' time to be in any relation to others. 'queue' uses its own
start timestamp and the reported duration is thereofore independant.
Ref: #20112Closes#20163
Do not generate a 400 response code, but use a 200 one. The upload needs
to fail on sending, not on seeing a 400 response. Seeing a 400 before
the sending fails (when CI timings shift) will expose the wrong error
code.
Ref: #20112Closes#20164
We recently allowed a larger send buffer in ngtcp2 streams. This allowed
curl to send more early data then previously when the server was slow in
performing the handshake. This led to flaky test failures when the
amount of early data was larger than expected.
Change test expectations to allow for varying amount of early data.
Ref: #20112Closes#20161
The 'ma' and 'persist' keywords should be considered per list entry, not
once per header.
Expand test 1654 to verify such headers
Reported-by: Hunt Darlener
Closes#20160
Add a `cert-status` feature flag to `curlinfo`, based on the conditions
used in `lib/vtls` sources.
To:
- fix disabling this test when using OpenSSL (or fork) built with
the `no-ocsp` option.
- enable this test for AWS-LC in CI.
Note:
- BoringSSL (and quiche) has OSCP disabled by default.
- MultiSSL dynamic selection continues to confuse this test.
(To fix it, support would need to be detected by querying libcurl
via curl. Probably overkill given that OCSP is on its way out.)
Follow-up to f2c765028f#20149Closes#20133
Already included directly via `hostip.c`, and other header users do not
use it.
Also add comment about why `setjmp.h` is used.
Cherry-picked from #20106Closes#20132
The migration to the strparse API introduced regressions in Digest
authentication parsing where Optional Whitespace (OWS) after commas was
not skipped, and escaped quotes in values were not correctly parsed.
This change ensures whitespace is skipped before key lookups and escaped
characters are properly handled and unescaped in quoted values.
Reported-by: herdiyanitdev on hackerone
Closes#20102
- Use 32767-1 instead of PATH_MAX-1 (260-1) as the maximum allowable
length of a path in Windows.
Prior to this change the path sanitizer in Windows used 32767-1 as the
maximum length only for paths that had the "\\" prefix like
"\\?\longpath". Since then we added some workarounds to open longer
paths without "\\?\" prefix by normalizing the path and adding that
prefix, and the sanitizer is called before the prefix is added.
Bug: https://github.com/curl/curl/issues/20044
Reported-by: Viktor Szakats
Closes https://github.com/curl/curl/pull/20046
- asyn-thrdd.c: scope an include.
- apply more clang-format suggestions.
- tidy-up PP guard comments.
- delete empty line from the top of headers.
- add empty line after `curl_setup.h` include where missing.
- fix indent.
- CODE_STYLE.md: add `strcpy`.
Follow-up to 8636ad55df#20088
- lib1901.c: drop unnecessary line.
Follow-up to 436e67f65b#20076Closes#20070
- they rarely catch any problems
- we have other ways to test different send/recv problems
- the number of such calls vary much more per invoke than others, making
memdebugging harder
- reducing the total number of fallible functions per test is good
- they were not used as intended anyway
Closes#20097
The cookie flushing (saving to a cookie jar) should only be done if a
transfer has been started. This is now done by checking the
cookies->running field, which is not reset in curl_easy_reset() so the
saving works correctly even after a call to that.
Follow-up to fd6eb8d6e7
Verified by test 1920
Reported-by: Alexander Batischev
Fixes#20090Closes#20094
