http2: initialize req.no_body in Curl_init_do for push#21194
http2: initialize req.no_body in Curl_init_do for push#21194
Conversation
|
Analysis of PR #21194 at dcdfc6a8: Test 1620 failed, which has NOT been flaky recently, so there could be a real issue in this PR. Note that this test has failed in 4 different CI jobs (the link just goes to one of them). Generated by Testclutch |
There was a problem hiding this comment.
Pull request overview
This PR ensures that transfers created via HTTP/2 server push correctly inherit and initialize the “no body” request state when CURLOPT_NOBODY is enabled, even when the duplicated easy handle is initialized without a connection pointer.
Changes:
- Initialize
data->req.no_bodyfromdata->set.opt_no_bodyinsideCurl_init_do(). - Ensure
HTTPREQ_HEADis selected whenno_bodyis set duringCurl_init_do(). - Add a unit test to verify duplicated handles preserve
no_body/HTTPREQ_HEADafterCurl_init_do(dupe, NULL).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
lib/url.c |
Initializes req.no_body (and sets HTTPREQ_HEAD) during Curl_init_do(), covering push/dup-handle init paths. |
tests/unit/unit1620.c |
Adds coverage to confirm a duplicated handle retains no_body + uses HTTPREQ_HEAD after init without a connection. |
Comments suppressed due to low confidence (1)
lib/url.c:3521
req.no_bodyis now initialized here but it is also set inCurl_req_hard_reset()(lib/request.c:155). To avoid having to keep multiple sites in sync (and risking future drift), consider centralizing this initialization inCurl_req_start()/Curl_req_soft_reset()(or a shared helper) and have callers rely on that single place.
data->req.no_body = data->set.opt_no_body;
if(data->req.no_body)
/* in HTTP lingo, no body means using the HEAD request... */
data->state.httpreq = HTTPREQ_HEAD;
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
req.no_body was only initialized in Curl_connect, while HTTP/2 server push adds a duplicated handle via Curl_multi_add_perform and calls Curl_init_do with conn==NULL, never invoking Curl_connect. Found by Codex Security
🔒 Aisle Security Analysis✅ We scanned this PR and did not find any security vulnerabilities. Aisle supplements but does not replace security review. Analyzed PR: #21194 at commit Last updated on: 2026-04-02T08:39:32Z |
req.no_body was only initialized in Curl_connect, while HTTP/2 server push adds a duplicated handle via Curl_multi_add_perform and calls Curl_init_do with conn==NULL, never invoking Curl_connect. Verify it by amending test 1620 Found by Codex Security Closes curl#21194
No description provided.