Pick up curl 7.72.0 current (#13063)

Picks up fix of CVE-2020-8231: libcurl: wrong connect-only connection
(Envoy does NOT use the affected CURLOPT_CONNECT_ONLY toggle,
this change simply satisfies overly-simplistic audits, and this further
reinforces issue #11816 )

Resolve premature force-AF_UNIX toggle in our working branch and
disables UNIX_SOCKETS on windows, until afunix.h is used for sys/un.h
(Breakage is between curl 7.69 and curl 7.72, which doesn't pick up afunix.h
on windows; will address and resolve upstream before revisiting at envoy.)

Work around misplaced -MD cflag on Windows build
See bazel-contrib/rules_foreign_cc#426
for comprehensive discussion of the defect. This workaround
could be dropped if rules_foreign_cc works around it for us.

Preparing for specific corrections to get curl building curl.lib
with cmake using clang-cl on Windows, starting at envoy and pushing
the fix(es) to CMakeLists.txt upstream.

Risk Level: low
Testing: local
Docs Changes: n/a
Release Notes: n/a

Signed-off-by: William A Rowe Jr <[email protected]>
Co-authored-by: Sunjay Bhatia <[email protected]>

bazel/foreign_cc/BUILD

@@ -115,8 +115,9 @@ envoy_cmake_external(
         "CMAKE_USE_GSSAPI": "off",
         "HTTP_ONLY": "on",
         "CMAKE_INSTALL_LIBDIR": "lib",
-        # Explicitly enable Unix sockets and disable crypto for Windows
-        "USE_UNIX_SOCKETS": "on",
+        # Explicitly enable Unix sockets, once afunix.h is correctly detected
+        # "USE_UNIX_SOCKETS": "on",
+        # Explicitly disable "Windows" crypto for Windows
         "CURL_DISABLE_CRYPTO_AUTH": "on",
         # C-Ares.
         "ENABLE_ARES": "on",
@@ -138,6 +139,10 @@ envoy_cmake_external(
         "ZLIB_INCLUDE_DIR": "$EXT_BUILD_DEPS/zlib/include",
         "CMAKE_CXX_COMPILER_FORCED": "on",
         "CMAKE_C_FLAGS_BAZEL": "-fPIC",
+        # Note we use Bazel's flags (not _RELEASE/_DEBUG CMake flags), but this toggle
+        # also works around a bug in CMP0091 logic which re-injected a badly placed -M flag.
+        # See https://github.com/bazelbuild/rules_foreign_cc/issues/426
+        "CURL_STATIC_CRT": "on",
     },
     defines = ["CURL_STATICLIB"],
     generate_crosstool_file = True,

bazel/repositories.bzl

@@ -674,8 +674,6 @@ def _com_github_curl():
         build_file_content = BUILD_ALL_CONTENT + """
 cc_library(name = "curl", visibility = ["//visibility:public"], deps = ["@envoy//bazel/foreign_cc:curl"])
 """,
-        patches = ["@envoy//bazel/foreign_cc:curl-revert-cmake-minreqver.patch"],
-        patch_args = ["-p1"],
         **location
     )
     native.bind(

bazel/repository_locations.bzl

@@ -522,8 +522,8 @@ DEPENDENCY_REPOSITORIES_SPEC = dict(
     com_github_curl = dict(
         project_name = "curl",
         project_url = "https://curl.haxx.se",
-        version = "7.69.1",
-        sha256 = "01ae0c123dee45b01bbaef94c0bc00ed2aec89cb2ee0fd598e0d302a6b5e0a98",
+        version = "7.72.0",
+        sha256 = "d4d5899a3868fbb6ae1856c3e55a32ce35913de3956d1973caccd37bd0174fa2",
         strip_prefix = "curl-{version}",
         urls = ["https://github.com/curl/curl/releases/download/curl-{underscore_version}/curl-{version}.tar.gz"],
         use_category = ["dataplane"],

test/dependencies/curl_test.cc

@@ -27,7 +27,15 @@ TEST(CurlTest, BuiltWithExpectedFeatures) {
   EXPECT_NE(0, info->features & CURL_VERSION_HTTP2);
   EXPECT_EQ(0, info->features & CURL_VERSION_GSSAPI);
   EXPECT_EQ(0, info->features & CURL_VERSION_KERBEROS5);
+#ifndef WIN32
   EXPECT_NE(0, info->features & CURL_VERSION_UNIX_SOCKETS);
+#else
+  // TODO(wrowe): correct to expected, when curl 7.72 and later is patched
+  // or fixed upstream to include `afunix.h` in place of `sys/un.h` on recent
+  // Windows SDKs (it may be necessary to be more specific because older
+  // SDKs did not provide `afunix.h`)
+  EXPECT_EQ(0, info->features & CURL_VERSION_UNIX_SOCKETS);
+#endif
   EXPECT_EQ(0, info->features & CURL_VERSION_PSL);
   EXPECT_EQ(0, info->features & CURL_VERSION_HTTPS_PROXY);
   EXPECT_EQ(0, info->features & CURL_VERSION_MULTI_SSL);