daniel:// stenberg://

1 month ago

daniel:// stenberg://
1 month ago

Writing C for #curl

daniel.haxx.se/blog/2025/04/07…

Writing C for curl

It is a somewhat common question to me: how do we write C in curl to make it safe and secure for billions of installations? Some precautions we take and decisions we make. There is no silver bullet, just guidelines.

^{daniel.haxx.se}

#curl

Unknown parent

daniel:// stenberg://

Unknown parent 1 month ago

@mtrigo yes, I agree

@Murilo Trigo

in reply to daniel:// stenberg://

Harald Eilertsen

in reply to daniel:// stenberg:// 1 month ago

@daniel:// stenberg:// Nice and sensible rules. I particularly like the focus on readable code. I think a lot of mistakes (in any language) comes from trying to be too clever, or weird tricks to "optimize" the code.

@daniel:// stenberg://

in reply to Harald Eilertsen

daniel:// stenberg://

in reply to Harald Eilertsen 1 month ago

@harald I think I did a lot of that in my younger years as well. Coming back to and making sense of your own code 10-20 years later can be a humbling experience.

@Harald Eilertsen

in reply to daniel:// stenberg://

Akseli

in reply to daniel:// stenberg:// 1 month ago

frustration about words "poisonous snakes"

Sensitive content

in reply to daniel:// stenberg://

daniel:// stenberg://

in reply to daniel:// stenberg:// 1 month ago

on hacker news => news.ycombinator.com/item?id=4…

Writing C for Curl | Hacker News

^{news.ycombinator.com}

in reply to daniel:// stenberg://

daniel:// stenberg://

in reply to daniel:// stenberg:// 1 month ago

this quote made my day:

"Curl is one of the very few projects I managed to contribute to with a very simple PR.

At the time, I was a bit lost with their custom testing framework, but was very impressed by the ease of contributing to one of the most successful open-source project out there."

Bubu reshared this.

in reply to daniel:// stenberg://

Marijke Luttekes

in reply to daniel:// stenberg:// 1 month ago

One of the best compliments for a project!

For OSS contributors, you could legit do a talk or series about how you made curl accessible to new contributors.

(Not to pile more work on you 😅)

Unknown parent

daniel:// stenberg://

Unknown parent 1 month ago

@0xDEADBEEF they're not. We've talked about it briefly, but the amount of extra work that will bring is not insignificant so it has not happened yet at least.

@HTTP 418

in reply to daniel:// stenberg://

Stefan Gast

in reply to daniel:// stenberg:// 1 month ago

That is a lot of good advice in an easy-to-read, compact form. I will definitely recommend it to my students, too. Thank you a lot – also for curl, on this occasion! 🙂

in reply to daniel:// stenberg://

L. Pereira

in reply to daniel:// stenberg:// 1 month ago

sscanf() can indeed have some weird and surprising behavior!

For instance, a while back, a fuzzer timed out on a sscanf("%d", ...), while looking for a space, and I ended up writing a workaround: github.com/lpereira/lwan/blob/…

(More important parts of the code aren't using this function anymore.)

lwan/src/lib/lwan-config.c at master · lpereira/lwan

Experimental, scalable, high performance HTTP server - lpereira/lwan

^GitHub

in reply to L. Pereira

daniel:// stenberg://

in reply to L. Pereira 1 month ago

@lafp yeps, sscanf just eventually caused us one too many surprises we had to let it go and now we sleep better at nights!

@L. Pereira

in reply to daniel:// stenberg://

Abe Massry

in reply to daniel:// stenberg:// 1 month ago

I have had it with these bot submitted false positive vulnerabilities , on this HTTplane!

in reply to daniel:// stenberg://

Abe Massry

in reply to daniel:// stenberg:// 1 month ago

sry. Read the article

I have had it with these C bugs related to memory safety, on this HTTplane!

in reply to daniel:// stenberg://

Gregory

in reply to daniel:// stenberg:// 1 month ago

someone translated this article to Russian: habr.com/ru/articles/898714/

Как мы пишем код для curl на C

Мне часто задают такой вопрос: как мы пишем на C код для curl, чтобы он был безопасным и надёжным в миллиардах установок? Мы предпринимаем определённые меры и пр...

^{PatientZero (Habr)}

⇧

daniel:// stenberg:// 1 month ago • •

daniel:// stenberg://
1 month ago