Open library file descriptors with O_CLOEXEC This patch is non-portable, it needs linux 2.6.23 and glibc 2.7 or later, different combinations (old linux, new glibc and vice-versa) will result in a crash. To make it portable you have to test O_CLOEXEC support at *runtime* compile time is not enough. Index: lib/cookie.c =================================================================== --- lib/cookie.c.orig 2013-04-12 13:25:07.866367012 +0200 +++ lib/cookie.c 2013-04-12 13:25:29.391017340 +0200 @@ -750,7 +750,7 @@ struct CookieInfo *Curl_cookie_init(stru fp = NULL; } else - fp = file?fopen(file, "r"):NULL; + fp = file?fopen(file, "re"):NULL; c->newsession = newsession; /* new session? */ @@ -1091,7 +1091,7 @@ static int cookie_output(struct CookieIn use_stdout=TRUE; } else { - out = fopen(dumphere, "w"); + out = fopen(dumphere, "we"); if(!out) return 1; /* failure */ } Index: lib/file.c =================================================================== --- lib/file.c.orig 2013-04-12 13:25:07.867367042 +0200 +++ lib/file.c 2013-04-12 13:25:29.391017340 +0200 @@ -243,7 +243,7 @@ static CURLcode file_connect(struct conn fd = open_readonly(actual_path, O_RDONLY|O_BINARY); file->path = actual_path; #else - fd = open_readonly(real_path, O_RDONLY); + fd = open_readonly(real_path, O_RDONLY|O_CLOEXEC); file->path = real_path; #endif file->freepath = real_path; /* free this when done */ @@ -341,7 +341,7 @@ static CURLcode file_upload(struct conne else mode = MODE_DEFAULT|O_TRUNC; - fd = open(file->path, mode, conn->data->set.new_file_perms); + fd = open(file->path, mode | O_CLOEXEC, conn->data->set.new_file_perms); if(fd < 0) { failf(data, "Can't open %s for writing", file->path); return CURLE_WRITE_ERROR; Index: lib/formdata.c =================================================================== --- lib/formdata.c.orig 2013-04-12 13:25:07.868367072 +0200 +++ lib/formdata.c 2013-04-12 13:25:29.392017370 +0200 @@ -1234,7 +1234,7 @@ CURLcode Curl_getformdata(struct Session FILE *fileread; fileread = strequal("-", file->contents)? - stdin:fopen(file->contents, "rb"); /* binary read for win32 */ + stdin:fopen(file->contents, "rbe"); /* binary read for win32 */ /* * VMS: This only allows for stream files on VMS. Stream files are @@ -1365,7 +1365,7 @@ static size_t readfromfile(struct Form * else { if(!form->fp) { /* this file hasn't yet been opened */ - form->fp = fopen(form->data->line, "rb"); /* b is for binary */ + form->fp = fopen(form->data->line, "rbe"); /* b is for binary */ if(!form->fp) return (size_t)-1; /* failure */ } Index: lib/hostip6.c =================================================================== --- lib/hostip6.c.orig 2013-04-12 13:25:07.868367072 +0200 +++ lib/hostip6.c 2013-04-12 13:25:29.392017370 +0200 @@ -39,7 +39,7 @@ #ifdef HAVE_PROCESS_H #include #endif - +#include #include "urldata.h" #include "sendf.h" #include "hostip.h" @@ -107,7 +107,7 @@ bool Curl_ipv6works(void) static int ipv6_works = -1; if(-1 == ipv6_works) { /* probe to see if we have a working IPv6 stack */ - curl_socket_t s = socket(PF_INET6, SOCK_DGRAM, 0); + curl_socket_t s = socket(PF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0); if(s == CURL_SOCKET_BAD) /* an ipv6 address was requested but we can't get/use one */ ipv6_works = 0; Index: lib/if2ip.c =================================================================== --- lib/if2ip.c.orig 2013-04-12 13:25:07.869367102 +0200 +++ lib/if2ip.c 2013-04-12 13:25:29.393017400 +0200 @@ -171,7 +171,7 @@ if2ip_result_t Curl_if2ip(int af, unsign if(len >= sizeof(req.ifr_name)) return IF2IP_NOT_FOUND; - dummy = socket(AF_INET, SOCK_STREAM, 0); + dummy = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0); if(CURL_SOCKET_BAD == dummy) return IF2IP_NOT_FOUND; Index: lib/netrc.c =================================================================== --- lib/netrc.c.orig 2013-04-12 13:25:07.869367102 +0200 +++ lib/netrc.c 2013-04-12 13:25:29.393017400 +0200 @@ -97,7 +97,7 @@ int Curl_parsenetrc(const char *host, netrc_alloc = TRUE; } - file = fopen(netrcfile, "r"); + file = fopen(netrcfile, "re"); if(file) { char *tok; char *tok_buf; Index: lib/ssluse.c =================================================================== --- lib/ssluse.c.orig 2013-04-12 13:25:07.870367132 +0200 +++ lib/ssluse.c 2013-04-12 13:25:29.394017430 +0200 @@ -419,7 +419,7 @@ int cert_stuff(struct connectdata *conn, STACK_OF(X509) *ca = NULL; int i; - f = fopen(cert_file,"rb"); + f = fopen(cert_file,"rbe"); if(!f) { failf(data, "could not open PKCS12 file '%s'", cert_file); return 0; @@ -2246,7 +2246,7 @@ static CURLcode servercert(struct connec /* e.g. match issuer name with provided issuer certificate */ if(data->set.str[STRING_SSL_ISSUERCERT]) { - fp=fopen(data->set.str[STRING_SSL_ISSUERCERT],"r"); + fp=fopen(data->set.str[STRING_SSL_ISSUERCERT],"re"); if(!fp) { if(strict) failf(data, "SSL: Unable to open issuer cert (%s)", Index: lib/connect.c =================================================================== --- lib/connect.c.orig 2013-04-12 13:25:07.871367163 +0200 +++ lib/connect.c 2013-04-12 13:25:29.394017430 +0200 @@ -1308,7 +1308,7 @@ CURLcode Curl_socket(struct connectdata (struct curl_sockaddr *)addr); else /* opensocket callback not set, so simply create the socket now */ - *sockfd = socket(addr->family, addr->socktype, addr->protocol); + *sockfd = socket(addr->family, addr->socktype | SOCK_CLOEXEC, addr->protocol); if(*sockfd == CURL_SOCKET_BAD) /* no socket, no connection */ Index: configure.ac =================================================================== --- configure.ac.orig 2013-04-12 13:25:07.873367223 +0200 +++ configure.ac 2013-04-12 13:25:29.396017491 +0200 @@ -183,6 +183,7 @@ AC_CANONICAL_HOST dnl Get system canonical name AC_DEFINE_UNQUOTED(OS, "${host}", [cpu-machine-OS]) +AC_USE_SYSTEM_EXTENSIONS dnl Checks for programs. dnl Our curl_off_t internal and external configure settings @@ -195,6 +196,7 @@ dnl Our configure and build reentrant se CURL_CONFIGURE_THREAD_SAFE CURL_CONFIGURE_REENTRANT + dnl check for how to do large files AC_SYS_LARGEFILE