[pull] master from curl:master

RELEASE-NOTES

@@ -4,7 +4,7 @@ curl and libcurl 8.12.2
  Command line options:         267
  curl_easy_setopt() options:   306
  Public functions in libcurl:  96
- Contributors:                 3345
+ Contributors:                 3347
 
 This release includes the following changes:
 
@@ -16,8 +16,10 @@ This release includes the following bugfixes:
  o asyn-thread: avoid the separate curl_mutex_t alloc [6]
  o asyn-thread: do not allocate thread_data separately [21]
  o asyn-thread: remove 'status' from struct Curl_async [36]
+ o build: enable -Wjump-misses-init for GCC 4.5+ [62]
  o build: fix compiler warnings in feature detections [39]
  o build: set `HAVE_WRITABLE_ARGV` for Apple cross-builds [8]
+ o cmake: `SHARE_LIB_OBJECT=ON` requires CMake 3.12 or newer [46]
  o cmake: add pre-fill for Unix, enable in GHA/macos, verify pre-fills [42]
  o cmake: allow empty custom `IMPORT_LIB_SUFFIX`, add suffix collision detection [41]
  o cmake: drop `HAVE_IN_ADDR_T` from pre-fill too
@@ -26,27 +28,41 @@ This release includes the following bugfixes:
  o cmake: fix ECH detection in custom-patched OpenSSL [32]
  o cmake: mention 'insecure' in the debug build warning [15]
  o cmake: misc tidy-ups [38]
+ o cmake: sync OpenSSL(-fork) feature checks with `./configure` [49]
  o CODE_STYLE: readability and banned functions [35]
  o configure: use `curl_cv_apple` variable [40]
+ o cookie: minor parser simplification [58]
  o cookie: simplify invalid_octets() [24]
  o curl_msh3: remove verify bypass from DEBUGBUILDs [43]
  o docs: add FD_ZERO to curl_multi_fdset example [19]
  o docs: correct argument names & URL redirection [4]
+ o hash: use single linked list for entries [57]
+ o hostip: make CURLOPT_RESOLVE support replacing IPv6 addresses [47]
  o HTTP3.md: only speak about minimal versions [18]
  o http: fix NTLM info message typo [22]
+ o http: version negotiation [45]
+ o http_aws_sigv4: use strparse more for parsing [55]
+ o https-rr: implementation improvements [44]
  o lib: better optimized casecompare() and ncasecompare() [3]
+ o lib: simplify more white space loops [60]
  o lib: strtoofft.h header cleanup [17]
+ o lib: use Curl_str_* instead of strtok_r() [59]
  o lib: use Curl_str_number() for parsing decimal numbers [13]
  o managen: correct the warning for un-escaped '<' and '>' [1]
+ o openssl: remove bad `goto`s into other scope [63]
  o scripts/managen: fix option 'single' [31]
  o scripts/managen: fix parsing of markdown code sections [30]
+ o ssh: consider sftp quote commands case sensitive [33]
+ o ssl session cache: add exportable flag [56]
  o strparse: make Curl_str_number() return error for no digits [14]
  o strparse: switch the API to work on 'const char *' [2]
  o strparse: switch to curl_off_t as base data type [7]
  o tests: fix enum/int confusion (Intel C), fix autotools `CFLAGS` for `servers` [27]
  o tidy-up: delete, comment or scope C macros reported unused [16]
  o tidy-up: drop unused `CURL_INADDR_NONE` macro and `in_addr_t` type [26]
+ o tidy-up: use `CURL_ARRAYSIZE()` [37]
  o timediff: fix comment for curlx_mstotv() [25]
+ o timediff: remove unnecessary double typecast [53]
  o urlapi: simplify junkscan [23]
  o variable.md: clarify 'trim' example [12]
  o wolfssh: retrieve the error using wolfSSH_get_error [5]
@@ -71,10 +87,11 @@ Planned upcoming removals include:
 This release would not have looked like this without help, code, reports and
 advice from friends like these:
 
-  Anthony Hu, Daniel Stenberg, Harry Sintonen, Joseph Chen, kriztalz,
-  Marcel Raad, Ray Satiro, RubisetCie on Github, Sergey, Stefan Eissing,
+  Anthony Hu, Daniel Stenberg, dependabot[bot], Harry Sintonen, John Bampton,
+  Joseph Chen, kriztalz, Marcel Raad, Mark Phillips, Ray Satiro,
+  rmg-x on github, RubisetCie on Github, Sergey, Stefan Eissing,
   Viktor Szakats
-  (11 contributors)
+  (15 contributors)
 
 References to bug reports and discussions on issues:
 
@@ -109,11 +126,27 @@ References to bug reports and discussions on issues:
  [30] = https://curl.se/bug/?i=16345
  [31] = https://curl.se/bug/?i=16344
  [32] = https://curl.se/bug/?i=16354
+ [33] = https://curl.se/bug/?i=16382
  [35] = https://curl.se/bug/?i=16349
  [36] = https://curl.se/bug/?i=16347
+ [37] = https://curl.se/bug/?i=16381
  [38] = https://curl.se/bug/?i=16238
  [39] = https://curl.se/bug/?i=16287
  [40] = https://curl.se/bug/?i=16340
  [41] = https://curl.se/bug/?i=16324
  [42] = https://curl.se/bug/?i=15841
  [43] = https://curl.se/bug/?i=16342
+ [44] = https://curl.se/bug/?i=16132
+ [45] = https://curl.se/bug/?i=16100
+ [46] = https://curl.se/bug/?i=16375
+ [47] = https://curl.se/bug/?i=16357
+ [49] = https://curl.se/bug/?i=16352
+ [53] = https://curl.se/bug/?i=16367
+ [55] = https://curl.se/bug/?i=16366
+ [56] = https://curl.se/bug/?i=16322
+ [57] = https://curl.se/bug/?i=16351
+ [58] = https://curl.se/bug/?i=16362
+ [59] = https://curl.se/bug/?i=16360
+ [60] = https://curl.se/bug/?i=16363
+ [62] = https://curl.se/bug/?i=16252
+ [63] = https://curl.se/bug/?i=16356

docs/KNOWN_BUGS

@@ -633,7 +633,7 @@ problems may have been fixed or changed somewhat since this was written.
 
 17.4 HTTP/2 + TLS spends a lot of time in recv
 
- It has been observered that by making the speed limit less accurate we could
+ It has been observed that by making the speed limit less accurate we could
  improve this performance. (by reverting
  https://github.com/curl/curl/commit/db5c9f4f9e0779b49624752b135281a0717b277b)
  Can we find a golden middle ground?

lib/cf-socket.c

@@ -995,7 +995,7 @@ static CURLcode cf_socket_ctx_init(struct cf_socket_ctx *ctx,
     p = getenv("CURL_DBG_SOCK_RMAX");
     if(p) {
       curl_off_t l;
-      if(!Curl_str_number(&p, &l, SIZE_T_MAX))
+      if(!Curl_str_number(&p, &l, CURL_OFF_T_MAX))
         ctx->recv_max = (size_t)l;
     }
   }

lib/cfilters.c

@@ -882,14 +882,14 @@ CURLcode Curl_conn_send(struct Curl_easy *data, int sockindex,
   DEBUGASSERT(data->conn);
   conn = data->conn;
 #ifdef DEBUGBUILD
-  {
+  if(write_len) {
     /* Allow debug builds to override this logic to force short sends
     */
     const char *p = getenv("CURL_SMALLSENDS");
     if(p) {
       curl_off_t altsize;
-      if(!Curl_str_number(&p, &altsize, SIZE_T_MAX))
-        write_len = CURLMIN(write_len, (size_t)altsize);
+      if(!Curl_str_number(&p, &altsize, write_len))
+        write_len = (size_t)altsize;
     }
   }
 #endif

lib/request.c

@@ -195,11 +195,13 @@ static CURLcode xfer_send(struct Curl_easy *data,
     /* Allow debug builds to override this logic to force short initial
        sends */
     size_t body_len = blen - hds_len;
-    const char *p = getenv("CURL_SMALLREQSEND");
-    if(p) {
-      curl_off_t body_small;
-      if(!Curl_str_number(&p, &body_small, body_len))
-        blen = hds_len + (size_t)body_small;
+    if(body_len) {
+      const char *p = getenv("CURL_SMALLREQSEND");
+      if(p) {
+        curl_off_t body_small;
+        if(!Curl_str_number(&p, &body_small, body_len))
+          blen = hds_len + (size_t)body_small;
+      }
     }
   }
 #endif

lib/strparse.c

@@ -104,40 +104,57 @@ int Curl_str_singlespace(const char **linep)
   return Curl_str_single(linep, ' ');
 }
 
-/* given an ASCII hexadecimal character, return the value */
-#define HEXDIGIT2NUM(x)                                         \
-  (((x) > '9') ? Curl_raw_tolower(x) - 'a' + 10 : x - '0')
-
-/* given an ASCII character and a given base, return TRUE if valid */
-#define valid_digit(digit, base)                                        \
-  (((base == 10) && ISDIGIT(digit)) ||                                  \
-   ((base == 16) && ISXDIGIT(digit)) ||                                 \
-   ((base == 8) && ISODIGIT(digit)))
-
-/* given an ASCII character and a given base, return the value */
-#define num_digit(digit, base)                          \
-  ((base != 16) ? digit - '0' : HEXDIGIT2NUM(digit))
+/* given an ASCII character and max ascii, return TRUE if valid */
+#define valid_digit(x,m) \
+  (((x) >= '0') && ((x) <= m) && hexasciitable[(x)-'0'])
 
 /* no support for 0x prefix nor leading spaces */
 static int str_num_base(const char **linep, curl_off_t *nump, curl_off_t max,
                         int base) /* 8, 10 or 16, nothing else */
 {
+  /* We use 16 for the zero index (and the necessary bitwise AND in the loop)
+     to be able to have a non-zero value there to make valid_digit() able to
+     use the info */
+  static const unsigned char hexasciitable[] = {
+    16, 1, 2, 3, 4, 5, 6, 7, 8, 9, /* 0x30: 0 - 9 */
+    0, 0, 0, 0, 0, 0, 0,
+    10, 11, 12, 13, 14, 15,       /* 0x41: A - F */
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+    0, 0, 0, 0, 0, 0,
+    10, 11, 12, 13, 14, 15        /* 0x61: a - f */
+  };
+
   curl_off_t num = 0;
+  const char *p;
+  int m = (base == 10) ? '9' :   /* the largest digit possible */
+    (base == 16) ? 'f' : '7';
   DEBUGASSERT(linep && *linep && nump);
   DEBUGASSERT((base == 8) || (base == 10) || (base == 16));
+  DEBUGASSERT(max >= 0); /* mostly to catch SIZE_T_MAX, which is too large */
   *nump = 0;
-  if(!valid_digit(**linep, base))
+  p = *linep;
+  if(!valid_digit(*p, m))
     return STRE_NO_NUM;
-  do {
-    int n = num_digit(**linep, base);
-    if(num > ((CURL_OFF_T_MAX - n) / base))
-      return STRE_OVERFLOW;
-    num = num * base + n;
-    if(num > max)
-      return STRE_BIG; /** too big */
-    (*linep)++;
-  } while(valid_digit(**linep, base));
+  if(max < base) {
+    /* special-case low max scenario because check needs to be different */
+    do {
+      int n = hexasciitable[*p++ - '0'] & 0x0f;
+      num = num * base + n;
+      if(num > max)
+        return STRE_OVERFLOW;
+    } while(valid_digit(*p, m));
+  }
+  else {
+    do {
+      int n = hexasciitable[*p++ - '0'] & 0x0f;
+      if(num > ((max - n) / base))
+        return STRE_OVERFLOW;
+      num = num * base + n;
+    } while(valid_digit(*p, m));
+  }
   *nump = num;
+  *linep = p;
   return STRE_OK;
 }
 

lib/vssh/libssh.c

@@ -2740,11 +2740,11 @@ static void sftp_quote(struct Curl_easy *data)
    * OpenSSH's sftp program and call the appropriate libssh
    * functions.
    */
-  if(strncasecompare(cmd, "chgrp ", 6) ||
-     strncasecompare(cmd, "chmod ", 6) ||
-     strncasecompare(cmd, "chown ", 6) ||
-     strncasecompare(cmd, "atime ", 6) ||
-     strncasecompare(cmd, "mtime ", 6)) {
+  if(!strncmp(cmd, "chgrp ", 6) ||
+     !strncmp(cmd, "chmod ", 6) ||
+     !strncmp(cmd, "chown ", 6) ||
+     !strncmp(cmd, "atime ", 6) ||
+     !strncmp(cmd, "mtime ", 6)) {
     /* attribute change */
 
     /* sshc->quote_path1 contains the mode to set */
@@ -2766,8 +2766,8 @@ static void sftp_quote(struct Curl_easy *data)
     state(data, SSH_SFTP_QUOTE_STAT);
     return;
   }
-  if(strncasecompare(cmd, "ln ", 3) ||
-     strncasecompare(cmd, "symlink ", 8)) {
+  if(!strncmp(cmd, "ln ", 3) ||
+     !strncmp(cmd, "symlink ", 8)) {
     /* symbolic linking */
     /* sshc->quote_path1 is the source */
     /* get the destination */
@@ -2786,12 +2786,12 @@ static void sftp_quote(struct Curl_easy *data)
     state(data, SSH_SFTP_QUOTE_SYMLINK);
     return;
   }
-  else if(strncasecompare(cmd, "mkdir ", 6)) {
+  else if(!strncmp(cmd, "mkdir ", 6)) {
     /* create dir */
     state(data, SSH_SFTP_QUOTE_MKDIR);
     return;
   }
-  else if(strncasecompare(cmd, "rename ", 7)) {
+  else if(!strncmp(cmd, "rename ", 7)) {
     /* rename file */
     /* first param is the source path */
     /* second param is the dest. path */
@@ -2810,17 +2810,17 @@ static void sftp_quote(struct Curl_easy *data)
     state(data, SSH_SFTP_QUOTE_RENAME);
     return;
   }
-  else if(strncasecompare(cmd, "rmdir ", 6)) {
+  else if(!strncmp(cmd, "rmdir ", 6)) {
     /* delete dir */
     state(data, SSH_SFTP_QUOTE_RMDIR);
     return;
   }
-  else if(strncasecompare(cmd, "rm ", 3)) {
+  else if(!strncmp(cmd, "rm ", 3)) {
     state(data, SSH_SFTP_QUOTE_UNLINK);
     return;
   }
 #ifdef HAS_STATVFS_SUPPORT
-  else if(strncasecompare(cmd, "statvfs ", 8)) {
+  else if(!strncmp(cmd, "statvfs ", 8)) {
     state(data, SSH_SFTP_QUOTE_STATVFS);
     return;
   }
@@ -2871,7 +2871,7 @@ static void sftp_quote_stat(struct Curl_easy *data)
   }
 
   /* Now set the new attributes... */
-  if(strncasecompare(cmd, "chgrp", 5)) {
+  if(!strncmp(cmd, "chgrp", 5)) {
     const char *p = sshc->quote_path1;
     curl_off_t gid;
     (void)Curl_str_number(&p, &gid, UINT_MAX);
@@ -2888,7 +2888,7 @@ static void sftp_quote_stat(struct Curl_easy *data)
     }
     sshc->quote_attrs->flags |= SSH_FILEXFER_ATTR_UIDGID;
   }
-  else if(strncasecompare(cmd, "chmod", 5)) {
+  else if(!strncmp(cmd, "chmod", 5)) {
     curl_off_t perms;
     const char *p = sshc->quote_path1;
     if(Curl_str_octal(&p, &perms, 07777)) {
@@ -2903,7 +2903,7 @@ static void sftp_quote_stat(struct Curl_easy *data)
     sshc->quote_attrs->permissions = (mode_t)perms;
     sshc->quote_attrs->flags |= SSH_FILEXFER_ATTR_PERMISSIONS;
   }
-  else if(strncasecompare(cmd, "chown", 5)) {
+  else if(!strncmp(cmd, "chown", 5)) {
     const char *p = sshc->quote_path1;
     curl_off_t uid;
     (void)Curl_str_number(&p, &uid, UINT_MAX);
@@ -2919,8 +2919,8 @@ static void sftp_quote_stat(struct Curl_easy *data)
     }
     sshc->quote_attrs->flags |= SSH_FILEXFER_ATTR_UIDGID;
   }
-  else if(strncasecompare(cmd, "atime", 5) ||
-          strncasecompare(cmd, "mtime", 5)) {
+  else if(!strncmp(cmd, "atime", 5) ||
+          !strncmp(cmd, "mtime", 5)) {
     time_t date = Curl_getdate_capped(sshc->quote_path1);
     bool fail = FALSE;
     if(date == -1) {
@@ -2941,7 +2941,7 @@ static void sftp_quote_stat(struct Curl_easy *data)
       sshc->actualcode = CURLE_QUOTE_ERROR;
       return;
     }
-    if(strncasecompare(cmd, "atime", 5))
+    if(!strncmp(cmd, "atime", 5))
       sshc->quote_attrs->atime = (uint32_t)date;
     else /* mtime */
       sshc->quote_attrs->mtime = (uint32_t)date;