summaryrefslogtreecommitdiff
path: root/net-misc/curl
diff options
context:
space:
mode:
authorV3n3RiX <venerix@koprulu.sector>2022-10-28 22:00:05 +0100
committerV3n3RiX <venerix@koprulu.sector>2022-10-28 22:00:05 +0100
commit9c602d90d61cea9fe83c596c68a99e383ee15f73 (patch)
treebca80b41af9c142cee7e07f14622dff065e60932 /net-misc/curl
parentcf7630078a53ff74b245b148bd722994068e28f9 (diff)
gentoo auto-resync : 28:10:2022 - 22:00:04
Diffstat (limited to 'net-misc/curl')
-rw-r--r--net-misc/curl/Manifest3
-rw-r--r--net-misc/curl/curl-7.86.0-r1.ebuild289
-rw-r--r--net-misc/curl/files/curl-7.86.0-proxy-noproxy-match-comma.patch86
-rw-r--r--net-misc/curl/files/curl-7.86.0-proxy-noproxy-tailmatching.patch66
4 files changed, 444 insertions, 0 deletions
diff --git a/net-misc/curl/Manifest b/net-misc/curl/Manifest
index 3d3fd3007b22..b95fa03f66d6 100644
--- a/net-misc/curl/Manifest
+++ b/net-misc/curl/Manifest
@@ -1,6 +1,8 @@
AUX curl-7.30.0-prefix.patch 880 BLAKE2B 5b7552a8339014221864a585d174b02a96ec7dd7fe8762d331d1981834044f8ec4db64d527a4ded3f5f4cccc86f281576668de092439eb19f5477d5fcf8369cf SHA512 c7cd13b9ccbd12ed01ea121ffece9c23b898a5b34698bae59ae1dd23b1cf2445180b84d80c4a640981f16dba5018df944f405dd5c660addab54ca21e0e673b7f
AUX curl-7.84.0-easylock.patch 856 BLAKE2B a77854a75a06ad66ef4dc7d6a2555fe2678f4bfd170e961c35e5ad2a82a62891d125ead2d15a311e2a8951404732c755a03636dd4bf4dd3ad16e8bf32ff4f7ca SHA512 7b94f941577d5b0a240e4e879a7e4c659dbdd4ff50d67465bd1a0adf30f5e37a0af7f15b71810feb05d19b833359b069f86aa3ac4c396fd8ba8ed2012b60fb8f
AUX curl-7.84.0-include-sched.patch 625 BLAKE2B 8c7ecdbc8ffd7cafac915c2d12db1ea98acbd166f18eba538ecd4666152653c36784569f1945b095480120c61124573b094e26ce26c8b85f62baedb40e20d758 SHA512 4be64eff67e56c2584f6c9ee0c9c7b7aca55fc15c8d4be6f9f79da9bb3c1bb1532bcb80eb4f87be2db1058dd41a32e366bfe83988d28b4b263fbb6679b5ec806
+AUX curl-7.86.0-proxy-noproxy-match-comma.patch 3143 BLAKE2B 1aa8d62e6082601eae9e3ae7690a1e7ddce7f12be4cf9f20010f32aa51cd5b1c4206be0b731935a9ddd45bb5654ceed3cba3eabb6a1b9dc60112052d7e79ffa7 SHA512 1a0c67bdabeb1ea8cba7a0f93c12ea626bdc329bbe8c3978f03cb25a78c74fa3257a36f2ed53c177b3a256bca2c0dd8081bab1536b0670e1ec9c0541ac23fc11
+AUX curl-7.86.0-proxy-noproxy-tailmatching.patch 2302 BLAKE2B c4199bc1eb04c8c69f8c72397ce526df6c2186151f77d5e13551e589712e9032e1a52720bd1b946a1b5b984f49a01b297410f4cf74814a58bf4bf43701435c76 SHA512 aa211a5428cc746d07cfd37571169d59ccc97560a69e7c6d21cc8b4a133182366264470de540e1813eee51b376d9056ec8dd01f8e95957e58a83f33d37db0442
AUX curl-respect-cflags-3.patch 406 BLAKE2B 1b533144858aff5566150c4a2648ad2e48e8ff29849ae285592edfee4b3332d06e750395dea7190ee6a01d2b5ee2c2c42c10400c2e5defa09963a90a1a10417d SHA512 3219e4e67d534e35012909243fc8d69d58989462db44dd507c502e7aaa299f1d9a01392e2c83797cc2bdb53d503470c5d6e7bf94572a6ccc6e5eafcc0466bc54
DIST curl-7.84.0.tar.xz 2477944 BLAKE2B 811a63285f39a598bc4fd73ae4b8e23e5146b93dcf3eea805345792b7dddd85bbd54240d9871a0dc9f058d58fd7ea7f4efbcb82727218e8afaaae3600bad55e1 SHA512 86231866a35593a1637fbc0c6af3b6761bdfd99fb35580cc52970c36f19604f93dce59fea67a1d5bb4b455f719307599c7916c77d14f2b661f6bf7fb1ca716ce
DIST curl-7.84.0.tar.xz.asc 488 BLAKE2B d74dea89fa89b6ed0a928e01987669f7dde0bcbb30423ea0f3af9f31eea1e059d458629d80455d772264d744fab236d4f506545afa1bfbd6ded7e2b27192a7c8 SHA512 80ff5274277ad97448fa53511bab6e8a1c302bcb25fc0916d78b8dc6c6af43d944c37c4ed46668b651cc639ec4964780725117ca0e85168ea66ad7cc98d29702
@@ -10,5 +12,6 @@ DIST curl-7.86.0.tar.xz 2518356 BLAKE2B a1de7feb229de42bf1deeb5017f97df3b1c10c75
DIST curl-7.86.0.tar.xz.asc 488 BLAKE2B a9abe2f3af801b3a48be7db09cb82b6bb83bd26a9d5caf51c0d5a4a2e6881fb478f1768a6b71efbd9283563e2c7e2badbc5a6d6df265013e14eee2ec7e9be148 SHA512 9e97d5f44b3c856f401fe30ba713e1ca1f74edfc693dc42f1ce8e43f9f6dd4bf6998c579bc9c5d0f749f475a7d67d232e92ab6f89b95141acdb53e149f2312f0
EBUILD curl-7.84.0.ebuild 8365 BLAKE2B 60758e9c23ab94612542434e0adb6602602128e455aff50c8f9da2cbdb58e27fa396bfd0011a3c461ac519e6faa25712ec80351bad3b45a7faf758aefdcbade6 SHA512 9d53b069da866f1acf875ee8615a11c8e0d5f8a88011f85ab7c8ec6e301de0d693df09d265670f0ae758aac5b923bd02a79ee0beffe5bc1454830ac876d1a652
EBUILD curl-7.85.0-r2.ebuild 8204 BLAKE2B ed3363c2ea324f4485c411ccfd7f049126e64ef6a748a9df9f0518f1e3864e4022f5e1689e2534f2eabeadebe12357d516d8c5f39b59d7a13d4e25aee5634ae5 SHA512 e46aa564a0d73a987e6b30d00d89d43e303074130df9aa0b984b929bceba0ec4db2e6564ce7c3b73b64119b59650f5cd304e15e27853890573c15dd2fb6fba44
+EBUILD curl-7.86.0-r1.ebuild 8358 BLAKE2B 3818cbdb66bfceb2be6eee8561f26d63fe4db9ce9efdde451f7d743a7fcc503eb7df8b7ed1829cd0a74d1182e16f6a036a8673e0350aa8d138d32c0a0d219af9 SHA512 98df2ea708001294c9b034259079465e2c1be9c9a3318d2f75d4b4cfeee5d6b0b152a3cb48929d07e30b2b0a2b0080501d6ba22d3e3e8ae97a99fba23ff8a8e4
EBUILD curl-7.86.0.ebuild 8253 BLAKE2B da0ca8206baead3da48b2a63ba6311933fa5fd8710a54cc4448a221596cdab57b86f1bfd67368c5357e06053de591b21575b7fe655fec6f7569375d569ff639b SHA512 a70e80311df4cd5eee6eaa0960390df71982c3d5465e6392c7e1068abbe97aacef1dddb1a3b1572063f0c7daf383a3bf31e8ea8f96b2c3291829a1bd9944dd3b
MISC metadata.xml 2103 BLAKE2B beb97305069a47f8eee68278dca5c0f10467d374c9fdab2ea27808b79a68cd921e2ab60bbb2455cbce2cdcada72e8c68290b40ec87ba31dad6ea580820f5c800 SHA512 27c15624622b074926307369bb41ad6cf532300154a70573618a072418358f5fc543eb56873e9836703073e8b42134a0387f3077e741377827a685cbf69faaab
diff --git a/net-misc/curl/curl-7.86.0-r1.ebuild b/net-misc/curl/curl-7.86.0-r1.ebuild
new file mode 100644
index 000000000000..5ab554508bc4
--- /dev/null
+++ b/net-misc/curl/curl-7.86.0-r1.ebuild
@@ -0,0 +1,289 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="8"
+
+inherit autotools prefix multilib-minimal verify-sig
+
+DESCRIPTION="A Client that groks URLs"
+HOMEPAGE="https://curl.haxx.se/"
+SRC_URI="https://curl.haxx.se/download/${P}.tar.xz
+ verify-sig? ( https://curl.haxx.se/download/${P}.tar.xz.asc )"
+
+LICENSE="curl"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="+adns alt-svc brotli +ftp gnutls gopher hsts +http2 idn +imap ipv6 kerberos ldap mbedtls nss +openssl +pop3 +progress-meter rtmp samba +smtp ssh ssl sslv3 static-libs test telnet +tftp websockets zstd"
+IUSE+=" curl_ssl_gnutls curl_ssl_mbedtls curl_ssl_nss +curl_ssl_openssl"
+IUSE+=" nghttp3 quiche"
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/danielstenberg.asc
+
+# Only one default ssl provider can be enabled
+REQUIRED_USE="
+ ssl? (
+ ^^ (
+ curl_ssl_gnutls
+ curl_ssl_mbedtls
+ curl_ssl_nss
+ curl_ssl_openssl
+ )
+ )"
+
+# lead to lots of false negatives, bug #285669
+RESTRICT="!test? ( test )"
+
+RDEPEND="ldap? ( net-nds/openldap:=[${MULTILIB_USEDEP}] )
+ brotli? ( app-arch/brotli:=[${MULTILIB_USEDEP}] )
+ ssl? (
+ gnutls? (
+ net-libs/gnutls:0=[static-libs?,${MULTILIB_USEDEP}]
+ dev-libs/nettle:0=[${MULTILIB_USEDEP}]
+ app-misc/ca-certificates
+ )
+ mbedtls? (
+ net-libs/mbedtls:0=[${MULTILIB_USEDEP}]
+ app-misc/ca-certificates
+ )
+ openssl? (
+ dev-libs/openssl:0=[sslv3(-)=,static-libs?,${MULTILIB_USEDEP}]
+ )
+ nss? (
+ dev-libs/nss:0[${MULTILIB_USEDEP}]
+ dev-libs/nss-pem
+ app-misc/ca-certificates
+ )
+ )
+ http2? ( net-libs/nghttp2:=[${MULTILIB_USEDEP}] )
+ nghttp3? (
+ net-libs/nghttp3[${MULTILIB_USEDEP}]
+ net-libs/ngtcp2[ssl,${MULTILIB_USEDEP}]
+ )
+ quiche? ( >=net-libs/quiche-0.3.0[${MULTILIB_USEDEP}] )
+ idn? ( net-dns/libidn2:0=[static-libs?,${MULTILIB_USEDEP}] )
+ adns? ( net-dns/c-ares:0=[${MULTILIB_USEDEP}] )
+ kerberos? ( >=virtual/krb5-0-r1[${MULTILIB_USEDEP}] )
+ rtmp? ( media-video/rtmpdump[${MULTILIB_USEDEP}] )
+ ssh? ( net-libs/libssh2[${MULTILIB_USEDEP}] )
+ sys-libs/zlib[${MULTILIB_USEDEP}]
+ zstd? ( app-arch/zstd:=[${MULTILIB_USEDEP}] )"
+
+# Do we need to enforce the same ssl backend for curl and rtmpdump? Bug #423303
+# rtmp? (
+# media-video/rtmpdump
+# curl_ssl_gnutls? ( media-video/rtmpdump[gnutls] )
+# curl_ssl_openssl? ( media-video/rtmpdump[-gnutls,ssl] )
+# )
+
+DEPEND="${RDEPEND}"
+BDEPEND="dev-lang/perl
+ virtual/pkgconfig
+ test? (
+ sys-apps/diffutils
+ )
+ verify-sig? ( sec-keys/openpgp-keys-danielstenberg )"
+
+DOCS=( CHANGES README docs/{FEATURES.md,INTERNALS.md,FAQ,BUGS.md,CONTRIBUTE.md} )
+
+MULTILIB_WRAPPED_HEADERS=(
+ /usr/include/curl/curlbuild.h
+)
+
+MULTILIB_CHOST_TOOLS=(
+ /usr/bin/curl-config
+)
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-7.30.0-prefix.patch
+ "${FILESDIR}"/${PN}-respect-cflags-3.patch
+ "${FILESDIR}"/${P}-proxy-noproxy-tailmatching.patch
+ "${FILESDIR}"/${P}-proxy-noproxy-match-comma.patch
+)
+
+src_prepare() {
+ default
+
+ eprefixify curl-config.in
+ eautoreconf
+}
+
+multilib_src_configure() {
+ # We make use of the fact that later flags override earlier ones
+ # So start with all ssl providers off until proven otherwise
+ # TODO: in the future, we may want to add wolfssl (https://www.wolfssl.com/)
+ local myconf=()
+
+ myconf+=( --without-gnutls --without-mbedtls --without-nss --without-ssl )
+ myconf+=( --without-ca-fallback --with-ca-bundle="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt )
+ #myconf+=( --without-default-ssl-backend )
+ if use ssl ; then
+ if use gnutls || use curl_ssl_gnutls; then
+ einfo "SSL provided by gnutls"
+ myconf+=( --with-gnutls --with-nettle )
+ fi
+ if use mbedtls || use curl_ssl_mbedtls; then
+ einfo "SSL provided by mbedtls"
+ myconf+=( --with-mbedtls )
+ fi
+ if use nss || use curl_ssl_nss; then
+ einfo "SSL provided by nss"
+ myconf+=( --with-nss --with-nss-deprecated )
+ fi
+ if use openssl || use curl_ssl_openssl; then
+ einfo "SSL provided by openssl"
+ myconf+=( --with-ssl --with-ca-path="${EPREFIX}"/etc/ssl/certs )
+ fi
+
+ if use curl_ssl_gnutls; then
+ einfo "Default SSL provided by gnutls"
+ myconf+=( --with-default-ssl-backend=gnutls )
+ elif use curl_ssl_mbedtls; then
+ einfo "Default SSL provided by mbedtls"
+ myconf+=( --with-default-ssl-backend=mbedtls )
+ elif use curl_ssl_nss; then
+ einfo "Default SSL provided by nss"
+ myconf+=( --with-default-ssl-backend=nss )
+ elif use curl_ssl_openssl; then
+ einfo "Default SSL provided by openssl"
+ myconf+=( --with-default-ssl-backend=openssl )
+ else
+ eerror "We can't be here because of REQUIRED_USE."
+ fi
+
+ else
+ einfo "SSL disabled"
+ fi
+
+ # These configuration options are organized alphabetically
+ # within each category. This should make it easier if we
+ # ever decide to make any of them contingent on USE flags:
+ # 1) protocols first. To see them all do
+ # 'grep SUPPORT_PROTOCOLS configure.ac'
+ # 2) --enable/disable options second.
+ # 'grep -- --enable configure | grep Check | awk '{ print $4 }' | sort
+ # 3) --with/without options third.
+ # grep -- --with configure | grep Check | awk '{ print $4 }' | sort
+
+ myconf+=(
+ $(use_enable alt-svc)
+ --enable-crypto-auth
+ --enable-dict
+ --disable-ech
+ --enable-file
+ $(use_enable ftp)
+ $(use_enable gopher)
+ $(use_enable hsts)
+ --enable-http
+ $(use_enable imap)
+ $(use_enable ldap)
+ $(use_enable ldap ldaps)
+ --enable-ntlm
+ --disable-ntlm-wb
+ $(use_enable pop3)
+ --enable-rt
+ --enable-rtsp
+ $(use_enable samba smb)
+ $(use_with ssh libssh2)
+ $(use_enable smtp)
+ $(use_enable telnet)
+ $(use_enable tftp)
+ --enable-tls-srp
+ $(use_enable adns ares)
+ --enable-cookies
+ --enable-dateparse
+ --enable-dnsshuffle
+ --enable-doh
+ --enable-symbol-hiding
+ --enable-http-auth
+ $(use_enable ipv6)
+ --enable-largefile
+ --enable-manual
+ --enable-mime
+ --enable-netrc
+ $(use_enable progress-meter)
+ --enable-proxy
+ --disable-sspi
+ $(use_enable static-libs static)
+ --enable-pthreads
+ --enable-threaded-resolver
+ --disable-versioned-symbols
+ --without-amissl
+ --without-bearssl
+ $(use_with brotli)
+ --without-fish-functions-dir
+ $(use_with http2 nghttp2)
+ --without-hyper
+ $(use_with idn libidn2)
+ $(use_with kerberos gssapi "${EPREFIX}"/usr)
+ --without-libgsasl
+ --without-libpsl
+ --without-msh3
+ $(use_with nghttp3)
+ $(use_with nghttp3 ngtcp2)
+ $(use_with quiche)
+ $(use_with rtmp librtmp)
+ --without-rustls
+ --without-schannel
+ --without-secure-transport
+ $(use_enable websockets)
+ --without-winidn
+ --without-wolfssl
+ --with-zlib
+ $(use_with zstd)
+ )
+
+ ECONF_SOURCE="${S}" econf "${myconf[@]}"
+
+ if ! multilib_is_native_abi; then
+ # avoid building the client
+ sed -i -e '/SUBDIRS/s:src::' Makefile || die
+ sed -i -e '/SUBDIRS/s:scripts::' Makefile || die
+ fi
+
+ # Fix up the pkg-config file to be more robust.
+ # https://github.com/curl/curl/issues/864
+ local priv=() libs=()
+ # We always enable zlib.
+ libs+=( "-lz" )
+ priv+=( "zlib" )
+ if use http2; then
+ libs+=( "-lnghttp2" )
+ priv+=( "libnghttp2" )
+ fi
+ if use quiche; then
+ libs+=( "-lquiche" )
+ priv+=( "quiche" )
+ fi
+ if use nghttp3; then
+ libs+=( "-lnghttp3" "-lngtcp2" )
+ priv+=( "libnghttp3" "-libtcp2" )
+ fi
+ if use ssl && use curl_ssl_openssl; then
+ libs+=( "-lssl" "-lcrypto" )
+ priv+=( "openssl" )
+ fi
+ grep -q Requires.private libcurl.pc && die "need to update ebuild"
+ libs=$(printf '|%s' "${libs[@]}")
+ sed -i -r \
+ -e "/^Libs.private/s:(${libs#|})( |$)::g" \
+ libcurl.pc || die
+ echo "Requires.private: ${priv[*]}" >> libcurl.pc || die
+}
+
+multilib_src_test() {
+ # See https://github.com/curl/curl/blob/master/tests/runtests.pl#L5721
+ # -n: no valgrind (unreliable in sandbox and doesn't work correctly on all arches)
+ # -v: verbose
+ # -a: keep going on failure (so we see everything which breaks, not just 1st test)
+ # -k: keep test files after completion
+ # -am: automake style TAP output
+ # -p: print logs if test fails
+ # Note: if needed, we can disable tests. See e.g. Fedora's packaging
+ # or just read https://github.com/curl/curl/tree/master/tests#run.
+ multilib_is_native_abi && emake test TFLAGS="-n -v -a -k -am -p"
+}
+
+multilib_src_install_all() {
+ einstalldocs
+ find "${ED}" -type f -name '*.la' -delete || die
+ rm -rf "${ED}"/etc/ || die
+}
diff --git a/net-misc/curl/files/curl-7.86.0-proxy-noproxy-match-comma.patch b/net-misc/curl/files/curl-7.86.0-proxy-noproxy-match-comma.patch
new file mode 100644
index 000000000000..6c8f4067e8d5
--- /dev/null
+++ b/net-misc/curl/files/curl-7.86.0-proxy-noproxy-match-comma.patch
@@ -0,0 +1,86 @@
+https://bugs.gentoo.org/878365#c2
+https://github.com/curl/curl/issues/9813
+https://github.com/curl/curl/commit/efc286b7a62af0568fdcbf3c68791c9955182128
+
+From efc286b7a62af0568fdcbf3c68791c9955182128 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 27 Oct 2022 13:54:27 +0200
+Subject: [PATCH] noproxy: also match with adjacent comma
+
+If the host name is an IP address and the noproxy string contained that
+IP address with a following comma, it would erroneously not match.
+
+Extended test 1614 to verify this combo as well.
+
+Reported-by: Henning Schild
+
+Fixes #9813
+Closes #9814
+--- a/lib/noproxy.c
++++ b/lib/noproxy.c
+@@ -192,18 +192,22 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy)
+ /* FALLTHROUGH */
+ case TYPE_IPV6: {
+ const char *check = token;
+- char *slash = strchr(check, '/');
++ char *slash;
+ unsigned int bits = 0;
+ char checkip[128];
++ if(tokenlen >= sizeof(checkip))
++ /* this cannot match */
++ break;
++ /* copy the check name to a temp buffer */
++ memcpy(checkip, check, tokenlen);
++ checkip[tokenlen] = 0;
++ check = checkip;
++
++ slash = strchr(check, '/');
+ /* if the slash is part of this token, use it */
+- if(slash && (slash < &check[tokenlen])) {
++ if(slash) {
+ bits = atoi(slash + 1);
+- /* copy the check name to a temp buffer */
+- if(tokenlen >= sizeof(checkip))
+- break;
+- memcpy(checkip, check, tokenlen);
+- checkip[ slash - check ] = 0;
+- check = checkip;
++ *slash = 0; /* null terminate there */
+ }
+ if(type == TYPE_IPV6)
+ match = Curl_cidr6_match(name, check, bits);
+--- a/tests/data/test1614
++++ b/tests/data/test1614
+@@ -16,7 +16,7 @@ unittest
+ proxy
+ </features>
+ <name>
+-cidr comparisons
++noproxy and cidr comparisons
+ </name>
+ </client>
+ <errorcode>
+--- a/tests/unit/unit1614.c
++++ b/tests/unit/unit1614.c
+@@ -77,6 +77,20 @@ UNITTEST_START
+ { NULL, NULL, 0, FALSE} /* end marker */
+ };
+ struct noproxy list[]= {
++ { "127.0.0.1", "127.0.0.1,localhost", TRUE},
++ { "127.0.0.1", "127.0.0.1,localhost,", TRUE},
++ { "127.0.0.1", "127.0.0.1/8,localhost,", TRUE},
++ { "127.0.0.1", "127.0.0.1/28,localhost,", TRUE},
++ { "127.0.0.1", "127.0.0.1/31,localhost,", TRUE},
++ { "127.0.0.1", "localhost,127.0.0.1", TRUE},
++ { "127.0.0.1", "localhost,127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1."
++ "127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127."
++ "0.0.1.127.0.0.1.127.0.0." /* 128 bytes "address" */, FALSE},
++ { "127.0.0.1", "localhost,127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1."
++ "127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127.0.0.1.127."
++ "0.0.1.127.0.0.1.127.0.0" /* 127 bytes "address" */, FALSE},
++ { "localhost", "localhost,127.0.0.1", TRUE},
++ { "localhost", "127.0.0.1,localhost", TRUE},
+ { "foobar", "barfoo", FALSE},
+ { "foobar", "foobar", TRUE},
+ { "192.168.0.1", "foobar", FALSE},
+
diff --git a/net-misc/curl/files/curl-7.86.0-proxy-noproxy-tailmatching.patch b/net-misc/curl/files/curl-7.86.0-proxy-noproxy-tailmatching.patch
new file mode 100644
index 000000000000..15f5e64c91f3
--- /dev/null
+++ b/net-misc/curl/files/curl-7.86.0-proxy-noproxy-tailmatching.patch
@@ -0,0 +1,66 @@
+https://bugs.gentoo.org/878365#c2
+https://github.com/curl/curl/issues/9821
+https://github.com/curl/curl/commit/b830f9ba9e94acf672cd191993ff679fa888838b
+
+From b830f9ba9e94acf672cd191993ff679fa888838b Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 28 Oct 2022 10:51:49 +0200
+Subject: [PATCH] noproxy: fix tail-matching
+
+Also ignore trailing dots in both host name and comparison pattern.
+
+Regression in 7.86.0 (from 1e9a538e05c0)
+
+Extended test 1614 to verify better.
+
+Reported-by: Henning Schild
+Fixes #9821
+Closes #9822
+--- a/lib/noproxy.c
++++ b/lib/noproxy.c
+@@ -153,9 +153,14 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy)
+ }
+ else {
+ unsigned int address;
++ namelen = strlen(name);
+ if(1 == Curl_inet_pton(AF_INET, name, &address))
+ type = TYPE_IPV4;
+- namelen = strlen(name);
++ else {
++ /* ignore trailing dots in the host name */
++ if(name[namelen - 1] == '.')
++ namelen--;
++ }
+ }
+
+ while(*p) {
+@@ -177,12 +182,23 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy)
+ if(tokenlen) {
+ switch(type) {
+ case TYPE_HOST:
+- if(*token == '.') {
+- ++token;
+- --tokenlen;
+- /* tailmatch */
+- match = (tokenlen <= namelen) &&
+- strncasecompare(token, name + (namelen - tokenlen), namelen);
++ /* ignore trailing dots in the token to check */
++ if(token[tokenlen - 1] == '.')
++ tokenlen--;
++
++ if(tokenlen && (*token == '.')) {
++ /* A: example.com matches '.example.com'
++ B: www.example.com matches '.example.com'
++ C: nonexample.com DOES NOT match '.example.com'
++ */
++ if((tokenlen - 1) == namelen)
++ /* case A, exact match without leading dot */
++ match = strncasecompare(token + 1, name, namelen);
++ else if(tokenlen < namelen)
++ /* case B, tailmatch with leading dot */
++ match = strncasecompare(token, name + (namelen - tokenlen),
++ tokenlen);
++ /* case C passes through, not a match */
+ }
+ else
+ match = (tokenlen == namelen) &&