Spanking new AI slop report on #curl received and another reporter banned: hackerone.com/reports/3392174
curl disclosed on HackerOne: Buffer Overflow in WebSocket Handshake...
## Summary: Buffer overflow vulnerability in curl's WebSocket implementation due to unsafe use of strcpy() in the handshake process. The vulnerability is located at lib/ws.c:1287 where...HackerOne
This entry was edited (1 month ago)
Oto Šťáva
in reply to daniel:// stenberg:// • • •Piggo
in reply to Oto Šťáva • • •daniel:// stenberg://
in reply to Piggo • • •@piggo @alefunguju strncpy() is almost never the right answer and is more often than not rather leading to bad code, to the extent that we ban that function in curl since a while back
If the target buffer fits the data we copy to it, there is no point in using strncpy. Period.
Wolf480pl
in reply to daniel:// stenberg:// • • •@piggo @alefunguju
daniel:// stenberg://
in reply to Wolf480pl • • •jo the disgraced
in reply to daniel:// stenberg:// • • •faker
in reply to daniel:// stenberg:// • • •Adam
in reply to daniel:// stenberg:// • • •just said "hell yeah!" out loud, in public, when I saw your reply to "I'll be more careful next time"
I'm not a programmer but can vaguely read it and I'm looking through that code snippet and thinking "but isn't this...working entirely as its meant to?". Also, step 4? Perfect slop right there.
daniel:// stenberg://
in reply to Adam • • •Gregory
in reply to daniel:// stenberg:// • • •Max
in reply to daniel:// stenberg:// • • •