hmm, I think this CVE fix may have broken my use of ~/.netrc with the GitHub REST API. Ran into an issue where my normal usage pattern of curl, which includes a "netrc-optional" entry in ~/.curlrc and a GitHub personal access token in ~/.netrc, no longer adds an "Authorization: ..." header to my requests, correlated in time with installing curl 8.11.1 via homebrew.
I'll see if I can produce a properly reduced test case and bisect down to one commit.
While developing that test I discovered an interesting factor: the bug seems to only be triggered in combination with the `--netrc-optional` option, notwithstanding whether that option is passed directly on the command line or whether it appears in `~/.curlrc`.
I wish I could have strace'd into exactly what's happening at file parse time. Hopefully this is useful enough!
I did this Given an executable test script with the following contents named test-curl which will ruthlessly shove aside any existing ~/.netrc file..: #!/usr/bin/env bash if ((BASH_VERSINFO < 4)); ...
When a specific hostname matched, and only a password is set before another machine is specified in the netrc file, the parser would not be happy and stop there and return the password-only state. ...
It is a logic flaw in the way curl parses .netrc file. In certain situations, the configured password can be sent to a incorrect host. Luckily the affected configurations should be quite rare and thus the situation is unlikely to occur often.
The issue has existed in the curl source code for almost twenty-five years.
Welcome to another curl release. This time we do a bugfix only release, five weeks since the previous version shipped. Release Presentation Today at 09:00 UTC I will do a live-streamed video presentation of curl 8.11.1 on Twitch.
is there perhaps a graph based on this data that shows the average length security vulns exist in curl over the length of the project? to (hopefully) demonstrate that security vulns are getting addressed quicker in more recent years?
Projekt OpenWrt nedávno oznámil přechod ze stávajícího formátu balíčků opkg na apk. Co to znamená pro běžného uživatele? Jak se tyto dva formáty a nástroje s nimi pracující vlastně liší?
Donald #Trump Controls a Publicly Traded Company. Now He Will Pick Its Regulator. —
There have been internal concerns that Trump Media could be misleading investors, a source said. But with its largest shareholder about to be president, experts doubt the SEC is up to the job of investigating Truth Social’s parent company.
@aardrian I'd say at this point citizens have to exercise their intelligence. If until now they did not realize that DJT is a speculative company that only benefits gamers and speculators, then no oversight will help. Simply do not invest if you do not want to get burned or help soemone get rich on your money! Else, do not complain...
‘Brain rot’ is the Oxford word of the year – a fitting choice, given the startling impact the internet is having on our grey matter, says journalist Siân Boyle
A judge granted WP Engine’s request for a preliminary injunction against Automattic and its CEO Matt Mullenweg in their dispute over the WordPress trademark.
Na klar, na? Da soll ich also schnellstens mein Online-Banking unter "klarna-verfahren.com" über den Link in der SMS "aktualisieren". Als ob ich freiwillig einen solchen Service überhaupt nutzen würde. Alles Klar, na?
(PS: Hab solche SMS bislang nie bekommen, sehe so etwas also zum ersten Mal aus erster Hand)
@c_th1 Einer der Gründe für diesen Toot. Für mich ist das eindeutig, da ich Klarna nicht nutze. Jemand, der Klarna verwendet, ist vielleicht unsicher. Wenn Mensch da weiß, dass solcher Scam unterwegs ist, hilft das vielleicht, Unheil zu vermeiden.
@DocAimless Ah. Da könnte ich noch eine Email mit "bitte begleichen Sie die korrigierte Rechnung" ergänzen, die ich kürzlich erhielt. Inclusive Reply-Chain der Kommunikation mit einer Adresse auf meiner Domain, die es dort gar nicht gibt. Komisch nur, dass DIESE Mail an eine ganz andere Email ging, die es natürlich gab (sonst hätte ich sie ja nicht bekommen). Also, Korrektuarabsprache mit Gabi Gibtsnich im Reply-Chain, dann Rechnung an mich 🤷♂️ Dachte mir, soll Gabi G. zahlen 🤪 @codestupser
Aira is now available at every Chase Bank branch in the U.S.! Bank customers can connect with a visual interpreter on-demand while in any branch, using Chase Bank ATMs, or when accessing online banking services. All calls are free of charge with the Chase Bank access offer.
"As a Chase customer and Aira user, I'm excited at the added accessibility this offer gives me! I love that I can call in and get the support I need to use the ATM or navigate the store on my own terms." - Aira Explorer
This full roll-out follows a successful pilot at 46 Chase Bank Innovation Lab locations as Chase expands efforts to meet the needs of its blind and low vision members.
Neo Backup is a fork of OAndBackup bringing support for new Android versions & updated looks. It lets you make and restore backups of apps on your device and save app data to a user-accessible location. Needs root.
After figuring how to get the zlib-ng issue disappear (not me!) the app is now RB & the new release tomorrow will have the green shield up
Bývalý riaditeľ detského tábora Chachaland Roman Paulíny je vinný zo sexuálneho zneužívania 14-ročnej Kataríny Danovej. Mestský súd Bratislava I ho odsúdil na trest odňatia slobody na dva roky s podmienečným odkladom na dva roky.
@schmaker Táto obeť sa rozhodla dobrovoľne vystúpiť z anonymity už pred rokmi, čím prakticky naštartovala to, čoho výsledok vidíme teraz. Veľký kus odvahy, obrovský kus traumy a brutálna obžaloba našej spoločnosti, že to muselo zájsť až takto ďaleko.
Two thoughts on this: first, it’s interesting that other industries are now profiting off corporations like Walgreens successfully blaming shoplifters for their price gouging & bad practices.
Second, it’s an interesting time for a CEO to get mouthy in public.
Wait. Copilot will be taking over alt+space on Windows? That is not okay. How will we access the system menu that has existed since forever containing minimise, maximise, etc.? Also, wtf aren't they just using Windows+c or the Copilot key they forced upon us? theverge.com/2024/12/10/243182…
The more I see stupid shit like this, the more I’m glad I’m moving away from windows. LOL. Sorry but I’m just so over things like this going through without any thought at all to the impact to their long-term users.
@ZBennoui I suppose what I find interesting (and maybe telling) is that the Windows Store Chat GPT app also uses this shortcut. I wonder if they're now just repackaging that app as the copilot one with some flavor changes or there's a deeper partnership happening there, that's interesting about this pivot.
@clv0 I think PowerToys has a tool to do this? And probably SharpKeys as well? But I haven't tried myself. Or you could probably do it more simply with AutoHotkey, but that requires that the script is always running, though it doesn't use much in terms of resources.
@clv0 AutoHotkey is a great piece of software, but maybe a bit heavy-handed for remapping one key to another if there's an alternative. If SharpKeys can do it in the registry, that will stick without having additional software running, so I'd try that first. @jcsteh
@jscholes thanks, but unfortunately, seems that SharpKeys cannot remap a shortcut to a single key. It turns out that copilot key doesn't trigger a single key, but rather a shortcut: win+shift+f23.
@jscholes A member of the AutoHotkey community just posted a workaround that one may perhaps get used to. See the last answer on this topic: autohotkey.com/boards/viewtopi…
Microsoft seriously has to take screen reader users into account when looking at the reassigning of keys that have been in use for years for common tasks.
@douglawlor I think Microsoft stopped caring about delightful accessibility a little while back. They were trying really hard for a few years, but I think those days are done since everyone there got drunk on AI.
Musk an those like him believe in, and live by, a fundamentally different moral code from the rest of us. They genuinely believe that their greatest moral responsibility is increasing profits for the benefit of shareholders. Everything else, including human life, is peripheral to that central and highest good.
This release adds support for #Passbook (#pkpass) files, commonly used for event tickets and more!
It also contains some other minor fixes and better handling of image thumbnails (especially transparent ones).
On the end-user side, this release probably doesn't look that different, but it contains some major code refactoring. It is also the first release with #Kotlin code in it.
Today, at Framasoft (bonjour!), we publish the very first version of the PeerTube Mobile app for android and iOS. A lot of care went into its conception, to help a wider audience watch videos and...
Ich habe, bevor @k9mail von @mozilla für @thunderbird übernommen wurde, immer monatlich über GitHub unterstützt. Da ich k9 weiterhin nutze, ging die Spende dieses Jahr an Mozilla. Das ist echt einfach gemacht in der App, schwupps über G-Pay. Ich konnte endlich mal die Gutscheine einlösen.
Unterstützt Open Source - mich würde auch interessieren was für Chromium Derivate die ganzen Google Hasser nutzen, anstatt Gecko. 🤷
Microsoft has released the Windows 11 KB5048667 and KB5048685 cumulative updates for versions 24H2 and 23H2 to fix security vulnerabilities and issues.
China unveils all-terrain SPHERICAL robocops to chase down, bludgeon & catch criminals using net-launching cannons "...The AI-powered bot beasts are capable of not only stopping crime, but somehow detecting it too." the-sun.com/tech/13058237/chin…
CHINA has unveiled unbreakable, spherical robo-cops which have been seen rolling around cities – ready to catch criminals. The AI-powered bot beasts are capable of not only stopping crime, bu…
Sara è una donna, una madre. È disoccupata, single e migrante. La sua è un’identità stratificata, unica e irripetibile, eppure queste caratteristiche sociali la renderanno sospetta per tutta la vita. Perché per un modello matematico – e per il governo del suo paese – Sara è solo un insieme di indicatori che, sommati tra loro, generano un alto punteggio di rischio, una previsione statistica che la trasforma in una potenziale criminale. Ma la sua unica colpa è quella di essere se stessa, e di condividere un profilo simile ad altre persone esistite e accusate prima di lei.
Fewer people than ever use the once popular web browser, but Mozilla remains profitable thanks to Google. How long can that trend continue with the Department of Justice coming after Google?
I don’t think most people realize how Firefox and Safari depend on Google for more than “just” revenue from default search engine deals and prototyping new web
I can't wait to see how people use default field values in #Rust! It felt like an eternity to land this (specially if we count the years of discussion before the, I believe, 3rd RFC was accepted), but as of next nightly you will be able to write
Initial implementation of #[feature(default_field_values], proposed in rust-lang/rfcs#3681.
We now parse const expressions after a = in a field definition, to specify a struct field default value.
...
Did you catch the recent ACB Vispero Presentation - Use the Thunderbird Email Client With JAWS? In case you missed it, the archive is now available: acb-community.pinecast.co/epis…
Ben Zanin
in reply to daniel:// stenberg:// • • •hmm, I think this CVE fix may have broken my use of ~/.netrc with the GitHub REST API. Ran into an issue where my normal usage pattern of curl, which includes a "netrc-optional" entry in ~/.curlrc and a GitHub personal access token in ~/.netrc, no longer adds an "Authorization: ..." header to my requests, correlated in time with installing curl 8.11.1 via homebrew.
I'll see if I can produce a properly reduced test case and bisect down to one commit.
daniel:// stenberg://
in reply to Ben Zanin • • •Ben Zanin
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Ben Zanin • • •Ben Zanin
in reply to daniel:// stenberg:// • • •Issue filed with a reduced replication test!
github.com/curl/curl/issues/15…
While developing that test I discovered an interesting factor: the bug seems to only be triggered in combination with the `--netrc-optional` option, notwithstanding whether that option is passed directly on the command line or whether it appears in `~/.curlrc`.
I wish I could have strace'd into exactly what's happening at file parse time. Hopefully this is useful enough!
curl CLI v8.11.1 fails to offer HTTP Basic auth specified in .netrc when invoked with --netrc-optional · Issue #15767 · curl/curl
GitHubdaniel:// stenberg://
in reply to Ben Zanin • • •daniel:// stenberg://
in reply to Ben Zanin • • •netrc: fix password-only entries by bagder · Pull Request #15768 · curl/curl
GitHubBen Zanin
in reply to daniel:// stenberg:// • • •