From b8d733df8ce0c5da137fa2bba7c185b2fd877935 Mon Sep 17 00:00:00 2001
From: Sergey Bronnikov <sergeyb@tarantool.org>
Date: Thu, 7 Dec 2023 17:03:11 +0300
Subject: [PATCH] third_party: update libcurl from 8.4.0 to 8.5.0

The patch updates curl module to the version 8.5.0 [1][2] that brings a
number of functional fixes and security fix for CVE-2023-46219 (HSTS
long file name clears contents), see description in [2], and updates
CMake module for building curl library.

Changes in CMake module:

- Option `CURL_DISABLE_HEADERS_API` was added and disabled by default [4].
- Option `CURL_DISABLE_BINDLOCAL` was added and disabled by default [5].
- Option `CURL_DISABLE_INSTALL` was added and disabled by default [6].

1. https://curl.se/changes.html#8_5_0
2. https://github.com/curl/curl/compare/curl-8_4_0...curl-8_5_0
3. https://curl.se/docs/CVE-2023-46219.html
4. https://github.com/curl/curl/commit/33493db2af2dc6d9910f5d7c702aae6f63b8a6a6
5. https://github.com/curl/curl/commit/20bb363f25151febe9026b41b8ad65df6db20b68
6. https://github.com/curl/curl/commit/aace27b0965c10394544d1dacc9c2cb2fe0de3d3

NO_DOC=libcurl submodule bump
NO_TEST=libcurl submodule bump
---
 changelogs/unreleased/bump-libcurl-to-8.5.0.md | 3 +++
 cmake/BuildLibCURL.cmake                       | 9 +++++++++
 third_party/curl                               | 2 +-
 3 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 changelogs/unreleased/bump-libcurl-to-8.5.0.md

diff --git a/changelogs/unreleased/bump-libcurl-to-8.5.0.md b/changelogs/unreleased/bump-libcurl-to-8.5.0.md
new file mode 100644
index 0000000000..111a0b4ecb
--- /dev/null
+++ b/changelogs/unreleased/bump-libcurl-to-8.5.0.md
@@ -0,0 +1,3 @@
+## bugfix/build
+
+* Updated libcurl to version 8.5.0.
diff --git a/cmake/BuildLibCURL.cmake b/cmake/BuildLibCURL.cmake
index 1739c88a2a..0d05e0e5fc 100644
--- a/cmake/BuildLibCURL.cmake
+++ b/cmake/BuildLibCURL.cmake
@@ -206,6 +206,15 @@ macro(curl_build)
     # libcurl-d.a. We use this name below.
     list(APPEND LIBCURL_CMAKE_FLAGS "-DCMAKE_DEBUG_POSTFIX=")
 
+    # Disables 'install' targets.
+    list(APPEND LIBCURL_CMAKE_FLAGS "-DCURL_DISABLE_INSTALL=OFF")
+
+    # Disables local binding support.
+    list(APPEND LIBCURL_CMAKE_FLAGS "-DCURL_DISABLE_BINDLOCAL=OFF")
+
+    # Disables headers-api support.
+    list(APPEND LIBCURL_CMAKE_FLAGS "-DCURL_DISABLE_HEADERS_API=OFF")
+
     include(ExternalProject)
     ExternalProject_Add(
         bundled-libcurl-project
diff --git a/third_party/curl b/third_party/curl
index d755a5f7c0..7161cb17c0 160000
--- a/third_party/curl
+++ b/third_party/curl
@@ -1 +1 @@
-Subproject commit d755a5f7c009dd63a61b2c745180d8ba937cbfeb
+Subproject commit 7161cb17c01dcff1dc5bf89a18437d9d729f1ecd
-- 
GitLab