Update to curl 8.4.0 #532
Update to curl 8.4.0 #532
Conversation
|
The macOS failure is reproducible locally, and previous commit is green. Looking. |
Upstream curl commit 3aa3cc9b changed MIME multipart boundary from 16 to 22 bytes. Update the tests accordingly. Disable such tests when using system curl to avoid expected failure.
|
curl/curl@3aa3cc9 breaks behavior of MIME multipart boundaries. I updated the tests and disabled them when using system curl. |
|
I've been trying to investigate the I'm also wondering if the hanging is more related to mio, which is a very old version. Worringly, #358 tried to update, but ran into timeout problems, too. If I can't make much progress soon, I think we should just disable the test for now to get the CVE fixes out. However, I don't have a grasp if that will make things worse if the hangs are legitimately a problem. It is quite strange that it only fails on Linux. |
This determines the multipart boundary size based on the version of curl currently being used.
This test is hanging on Linux with the 8.4.0 update. My poor understanding is that `perform()` should not be used with `curl_multi_socket_action` (that is, it should only use `perform` or `action`, not both). Removing this seems to fix things. Note that there were some other hang-related changes in the 8.4.0 release. I bisected the hang to curl/curl#11939, which then uncovered some curl tests that were hanging in curl/curl#12033. That then spawned off two more changes to fix the hangs (both of which are also in 8.4.0). However, this upload_lots was still failing. I think this is likely due to an incorrect use of the API poorly interacting with the timer changes in 8.4.0.
|
I pushed a fix for the timeout. I also pushed a slightly different approach for the multipart boundary size change which should work with whatever curl version is in use. I'm going to go ahead and merge to get the CVE fixes out. |
|
Thanks! |
cURL 8.4.0 fixes two vulnerabilities: