c_cpp/curl
SHA256
8
0
Fork 0
forked from pool/curl
Code Pull Requests Activity
Files
main
curl/libcurl-ocloexec.patch
Pedro Monreal Gonzalez 4463c4cc62 - Update to 8.14.0: 
* Security fixes:
    - [CVE-2025-4947, bsc#1243397] QUIC certificate check skip with wolfSSL
    - [CVE-2025-5025, bsc#1243706] No QUIC certificate pinning with wolfSSL
  * Changes:
    - mqtt: send ping at upkeep interval
    - schannel: handle pkcs12 client certificates containing CA certificates
    - TLS: add CURLOPT_SSL_SIGNATURE_ALGORITHMS and --sigalgs
    - vquic: ngtcp2 + openssl support
    - wcurl: import v2025.04.20 script + docs
    - websocket: add option to disable auto-pong reply
  * Bugfixes:
    - asny-thrdd: fix detach from running thread
    - async-threaded resolver: use ref counter
    - async: DoH improvements
    - build: enable gcc-12/13+, clang-10+ picky warnings
    - build: enable gcc-15 picky warnings
    - certs: drop unused `default_bits` from `.prm` files
    - cf-https-connect: use the passed in dns struct pointer
    - cf-socket: fix FTP accept connect
    - cfilters: remove assert
    - cmake: fix nghttp3 static linking with `USE_OPENSSL_QUIC=ON`
    - cmake: prefer `COMPILE_OPTIONS` over `CMAKE_C_FLAGS` for custom C options
    - cmake: revert `CURL_LTO` behavior for multi-config generators
    - configure: fix --disable-rt
    - CONTRIBUTE: add project guidelines for AI use
    - cpool/cshutdown: force close connections under pressure
    - curl: fix memory leak when -h is used in config file
    - curl_get_line: handle lines ending on the buffer boundary
    - headers: enforce a max number of response header to accept

OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/curl?expand=0&rev=395
2025-05-28 11:24:12 +00:00

97 lines
3.2 KiB
Diff
Raw Permalink Blame History

Open library file descriptors with O_CLOEXEC
This patch is non-portable, it needs linux 2.6.23 and glibc 2.7
or later, different combinations (old linux, new glibc and vice-versa)
will result in a crash.
To make it portable you have to test O_CLOEXEC support at *runtime*
compile time is not enough.
Index: curl-8.14.0/lib/file.c
===================================================================
--- curl-8.14.0.orig/lib/file.c
+++ curl-8.14.0/lib/file.c
@@ -270,7 +270,7 @@ static CURLcode file_connect(struct Curl
}
}
#else
- fd = open(real_path, O_RDONLY);
+ fd = open(real_path, O_RDONLY|O_CLOEXEC);
file->path = real_path;
#endif
#endif
@@ -349,9 +349,9 @@ static CURLcode file_upload(struct Curl_
#if (defined(ANDROID) || defined(__ANDROID__)) && \
(defined(__i386__) || defined(__arm__))
- fd = open(file->path, mode, (mode_t)data->set.new_file_perms);
+ fd = open(file->path, mode|O_CLOEXEC, (mode_t)data->set.new_file_perms);
#else
- fd = open(file->path, mode, data->set.new_file_perms);
+ fd = open(file->path, mode|O_CLOEXEC, data->set.new_file_perms);
#endif
if(fd < 0) {
failf(data, "cannot open %s for writing", file->path);
Index: curl-8.14.0/lib/if2ip.c
===================================================================
--- curl-8.14.0.orig/lib/if2ip.c
+++ curl-8.14.0/lib/if2ip.c
@@ -209,7 +209,7 @@ if2ip_result_t Curl_if2ip(int af,
if(len >= sizeof(req.ifr_name))
return IF2IP_NOT_FOUND;
- dummy = socket(AF_INET, SOCK_STREAM, 0);
+ dummy = socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, 0);
if(CURL_SOCKET_BAD == dummy)
return IF2IP_NOT_FOUND;
Index: curl-8.14.0/configure.ac
===================================================================
--- curl-8.14.0.orig/configure.ac
+++ curl-8.14.0/configure.ac
@@ -440,6 +440,8 @@ AC_DEFINE_UNQUOTED(CURL_OS, "${host}", [
# Silence warning: ar: 'u' modifier ignored since 'D' is the default
AC_SUBST(AR_FLAGS, [cr])
+AC_USE_SYSTEM_EXTENSIONS
+
dnl This defines _ALL_SOURCE for AIX
CURL_CHECK_AIX_ALL_SOURCE
Index: curl-8.14.0/lib/hostip.c
===================================================================
--- curl-8.14.0.orig/lib/hostip.c
+++ curl-8.14.0/lib/hostip.c
@@ -46,6 +46,7 @@
#include <signal.h>
#endif
+#include <fcntl.h>
#include "urldata.h"
#include "sendf.h"
#include "connect.h"
@@ -691,7 +692,7 @@ bool Curl_ipv6works(struct Curl_easy *da
else {
int ipv6_works = -1;
/* probe to see if we have a working IPv6 stack */
- curl_socket_t s = socket(PF_INET6, SOCK_DGRAM, 0);
+ curl_socket_t s = socket(PF_INET6, SOCK_DGRAM|SOCK_CLOEXEC, 0);
if(s == CURL_SOCKET_BAD)
/* an IPv6 address was requested but we cannot get/use one */
ipv6_works = 0;
Index: curl-8.14.0/lib/cf-socket.c
===================================================================
--- curl-8.14.0.orig/lib/cf-socket.c
+++ curl-8.14.0/lib/cf-socket.c
@@ -369,7 +369,9 @@ static CURLcode socket_open(struct Curl_
}
else {
/* opensocket callback not set, so simply create the socket now */
- *sockfd = socket(addr->family, addr->socktype, addr->protocol);
+ *sockfd = socket(addr->family,
+ addr->socktype|SOCK_CLOEXEC,
+ addr->protocol);
}
if(*sockfd == CURL_SOCKET_BAD)
View Git Blame Copy Permalink