I will admit that adding this function to the library API was a bad idea, but that's a decision we are stuck with through the decades since we don't break the ABI
I almost asked if you had written about ABI stability ... before realizing I mistyped my google query and then I discovered you wrote a *length* about it. For anyone coming who is similarly curious, this is the blog entry @bagder wrote last week about ABI breakages, which I missed:
Seriously! I always thought that it was very ingenious, way of handling things. Then How would you structure curl differently? if you were to do it all over again?
"We discourage users from using any of these functions in new applications."
Maybe it could be stronger? Perhaps:
> "These functions are deprecated, but not removed due to ABI backwards compatibility. We STRONGLY discourage anyone from using these functions in new applications, and encourage existing uses to move to <SUGGESTION>. No bug reports, security or otherwise, will be accepted against these functions."
Summary:
The curl_mfprintf function in the curl_printf.h file contains a format string vulnerability that allows an attacker to inject arbitrary format specifiers. This can lead to unauthorized...
That "Additionally, I have another topic I would like to discuss, and here it is.", followed by nothing, almost tastes like an LLM wrote (parts) of the text.
TTimo
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to TTimo • • •Jerry Lundström
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Jerry Lundström • • •Jerry Lundström
in reply to daniel:// stenberg:// • • •Mikael Lundin 🍀🥦♻️
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to daniel:// stenberg:// • • •powersoffour
in reply to daniel:// stenberg:// • • •I almost asked if you had written about ABI stability ... before realizing I mistyped my google query and then I discovered you wrote a *length* about it. For anyone coming who is similarly curious, this is the blog entry @bagder wrote last week about ABI breakages, which I missed:
daniel.haxx.se/blog/2024/10/30…
Thank you for sharing your thoughts on this.
Eighteen years of ABI stability
daniel.haxx.sedaniel:// stenberg:// reshared this.
Jerry Lundström
in reply to daniel:// stenberg:// • • •return -2?
Or have you looked into #pragma warning stuff to warn on deprecated interfaces?
Can't support the ABI in infinity...
ang_mo_uncle
in reply to daniel:// stenberg:// • • •Man2Dev
in reply to daniel:// stenberg:// • • •Richard Schneeman
in reply to daniel:// stenberg:// • • •The docs (curl.se/libcurl/c/curl_mprintf…) state:
"We discourage users from using any of these functions in new applications."
Maybe it could be stronger? Perhaps:
> "These functions are deprecated, but not removed due to ABI backwards compatibility. We STRONGLY discourage anyone from using these functions in new applications, and encourage existing uses to move to <SUGGESTION>. No bug reports, security or otherwise, will be accepted against these functions."
libcurl - curl_mprintf()
curl.seBjörn Fahller
in reply to daniel:// stenberg:// • • •CURL* uninit_1;
CURLoption uninit2;
char* uninit_3;
curl_easy_setopt(uninit_1, uninit_2, uninit_3);
Very unsafe API, much bug bounty received. Right?
daniel:// stenberg://
in reply to Björn Fahller • • •daniel:// stenberg://
in reply to daniel:// stenberg:// • • •now this report is disclosed: hackerone.com/reports/2819666
For educational purposes
curl disclosed on HackerOne: Exploitable Format String...
HackerOneJeroen Ruigrok van der Werven
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Jeroen Ruigrok van der Werven • • •Bredroll
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Bredroll • • •Bredroll
in reply to daniel:// stenberg:// • • •daniel:// stenberg://
in reply to Bredroll • • •Ondřej Surý
in reply to daniel:// stenberg:// • • •