daniel:// stenberg://

3 months ago

daniel:// stenberg://
3 months ago

Detecting malicious Unicode in #curl

daniel.haxx.se/blog/2025/05/16…

Detecting malicious Unicode

In a recent educational trick, curl contributor James Fuller submitted a pull-request to the project in which he suggested a larger cleanup of a set of scripts.

^{daniel.haxx.se}

#curl

Federico Mena Quintero reshared this.

in reply to daniel:// stenberg://

katch wreck

in reply to daniel:// stenberg:// 3 months ago

maybe there is a sufficiently high dimensional electric field whose curl, when properly discretized, could precisely represent every source bode byte

in reply to daniel:// stenberg://

Harald Eilertsen

in reply to daniel:// stenberg:// 3 months ago

@daniel:// stenberg://

We are the curl project. We can do better.

Love that attitude!

Great writeup and reminder about how easy it is to be tricked by the simple stuff. Using homoglyphs like these is relatively common in phishing emails, but we may not bee good enough at looking for them elsewhere.

@daniel:// stenberg://

in reply to daniel:// stenberg://

Neromabene

in reply to daniel:// stenberg:// 3 months ago

Vulnerabilities happen. The team seems to be on top of things so cheers.

in reply to daniel:// stenberg://

B'ad Samurai 🐐

in reply to daniel:// stenberg:// 3 months ago

since Michael Hanley (previous GitHub CISO) left for GE, do they have a replacement yet? I personally had really great interaction with him and his teams, but since his departure it's been lights-off and that's concerning.

in reply to B'ad Samurai 🐐

daniel:// stenberg://

in reply to B'ad Samurai 🐐 3 months ago

I have made GitHub aware of how I consider this a flaw in their site and an attack surface they are not helping much to combat. We will have to see how they respond.

This entry was edited (3 months ago)

in reply to daniel:// stenberg://

:hacker_p: :hacker_f: :hacker_t:

in reply to daniel:// stenberg:// 3 months ago

Just opened a ticket to implement this on company level. I suppose that this is also a threat wenn people copy/pase code into our main production system 🫣

in reply to daniel:// stenberg://

daniel:// stenberg://

in reply to daniel:// stenberg:// 3 months ago

GitHub has told me they have raised this as a security issue internally and they are working on a fix.

in reply to daniel:// stenberg://

Stefan Eissing

in reply to daniel:// stenberg:// 3 months ago

good to hear!

in reply to daniel:// stenberg://

Tom

in reply to daniel:// stenberg:// 3 months ago

@sebsauvage In 2018 I raised a similar issue (arguably worse), but they didn't care... I wonder if they fixed it since.

@sebsauvage

in reply to daniel:// stenberg://

elmuerte

in reply to daniel:// stenberg:// 3 months ago

That reminds me of the case where a colleague had issues applying a log4j mitigation back in 2021. System wouldn't start because the command line was wrong.
The recommendation he followed was nicely formatted and used a ‐ instead of -.

in reply to elmuerte

daniel:// stenberg://

in reply to elmuerte 3 months ago

@elmuerte for curl we nowadays check for and warn if a unicode double-quote is found where a normal ascii double-quote was probably intended. Because so many people copy and past command lines from webpages that use unicode double-quotes...

@elmuerte

in reply to daniel:// stenberg://

elmuerte

in reply to daniel:// stenberg:// 3 months ago

That's great. I guess we're at the point where we need non-ascii detection in our clipboards.

When I suggested to my colleague to press backspace and press the minus key he was dumbstruck that git detected a file change.

in reply to daniel:// stenberg://

Alex

in reply to daniel:// stenberg:// 3 months ago

thank you for writing about your learnings (as always) that is how other maintainers learn.

⇧

daniel:// stenberg:// 3 months ago • •

daniel:// stenberg://
3 months ago