Search

Items tagged with: Curl

On Thursday next week (Dec 4) I will do a tiny #curl webinar. Sign up for it here: us02web.zoom.us/webinar/regist…

It will be made available on video after the fact.

tiny-curl is a libcurl flavor designed for the smaller devices. Same API. Same reliability. With some protocols and features cut out making a (much) smaller footprint. See curl.se/tiny/


Welcome! You are invited to join a webinar: tiny-curl 101: Secure Communication with a Small Footprint. After registering, you will receive a confirmation email about joining the webinar.

Join curl founder Daniel Stenberg on December 4th at 9 AM PT for a focused introduction to tiny-curl, the lightweight version of curl designed for resource-constrained environments and embedded users.
Zoom
#curl

just discovered that `curl --help` takes an optional category as an argument. nice! #curl
#curl

#curl

Interesting numbers.

#curl on my Linux machine can download a large file from http://localhost at 5.0GiB/sec. Pointing to the file:// version of the exact same file "only" increases the speed to .8.8GiB/sec.

#curl

So, curl doesn’t integrate with libsecret in any way? I assume that since there’s no discussion on the main mailing list of in the GitHub issues for it that I’m somehow being dumb thinking I want it.
If the service that I’m authenticating to uses basic auth, and I don’t want to store my passwords in a .netrc in my HOME or pass it in clear on the command-line, what are my best options?
@bagder
#curl #gnome_libsecret #infosec #LazyWeb
#infosec #curl #gnome_libsecret #lazyweb @daniel:// stenberg://

I believe I have actually gotten several awards for my work on #curl for at least partly those reasons...
#curl

#curl

#curl

On this day nine years ago, #curl received its first security audit report.

daniel.haxx.se/blog/2016/11/23…


curl security audit

"the overall impression of the state of security and robustness of the cURL library was positive." I asked for, and we were granted a security audit of curl from the Mozilla Secure Open Source program a while ago.
daniel.haxx.se
#curl

#curl

How AI helps us build higher bar charts in the #curl project
Chart showing number of Hackerone submissions per year, showing 2025 being higher than all other years and yet the number of confirmed vulnerabilities is lower than the four previous years...
#curl

Ah, #curl still in use, I see:

> otool -L ~/.cargo/bin/rustup
...
/usr/lib/libcurl.4.dylib

and cargo itself is:
~/.cargo/bin/cargo -> rustup

We try to keep it all safe to the best of our abilities.😌

#curl

We crank it up to over 3,000 this year. #curl
lots of vertical bars showing commits per year in the curl project. 2025 raises above all others with 3011 commits so far
#curl

#curl

In today's edition of #ChatGPT imagines a non-existent #curl feature, much to @bagder 's dismay...

As passed along by my colleague who discovered this, the prompt included: "find a website that is actually hosted on physical infrastructure in Guam"

and ChatGPT suggested one on #Akamai but then suggested using the no-existent --no-cdn flag to skip straight to the origin. Please don't take this as a suggestion to implement such a feature. 🙂

Prompt was: "If your goal is to find a website that is actually hosted on physical infrastructure in Guam (not just “serving Guam” or using a Guam-themed domain), here are the reliable ways to identify or locate such sites, plus a few examples." Response contained: 5. Guam Visitors Bureau https:/jwww.visitguam.com » + Mixed hosting (Akamai CDN). e BUT: Their origin server (not the CDN edges) is in Guam. If you use —-no-cdn via curl tricks or DNS origin lookup, you will hit the Guam origin.
#chatgpt #curl #Akamai @daniel:// stenberg://

A real Hackerone #curl report title!:

"Out-of-bounds read in *** potential crash. This is sharp, <reporter name>. We've got a real memory safety bug"

The AI is helpfully cheering the guy onwards to slopping. Of course, it is a false positive.

#curl

In 2007 I did a talk about #curl at the FSCONS conference. The video is lost in time but today I realized that FSF Europe is still hosting the torrent file.

Not too many seeders of that content left though... 😎

download.fsfeurope.org/torrent…

#curl

#curl

#curl

I have already been asked how we intend to celebrate #curl's 30th anniversary next November (counted from httpget's birth)

But no, I have no idea. I'll think about that in about 11 months

#curl

Started a discussion about adding a timer notification to libcurl. If you use the "multi" interface, maybe you have an opinion?

#curl
github.com/curl/curl/
discussions/19553


GitHub - curl/curl: A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, T

A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP...
GitHub
#curl

#curl

#curl

#curl

if you are not happy on your FIPS system with modern #curl treatment of TLSv1.3, why not simply refrain from using curl?

Or take an older version and maintain it yourself.💁🏻‍♂️

github.com/curl/curl/pull/1934…


openssl: respect system crypto policy for TLS max version by jacekmigacz · Pull Request #19342 · curl/curl

When no explicit --tls-max option is provided, curl should respect OpenSSL's system-wide crypto policy configuration instead of overriding it. Previously, curl called SSL_CTX_set_max_proto_vers...
GitHub
#curl

#development #curl

Should the default #curl progress meter use 1000-based units instead of 1024-based ones ?

  • 1000 (16%, 179 votes)
  • 1024 (83%, 904 votes)
1083 voters. Poll end: 2 weeks ago

#curl

What was the name of the project between #httpget and #curl?
#curl #httpget

Twenty-nine years ago on this day, #httpget 0.1 was released.

I found the tool a few days later and within a few months I became the maintainer. We later renamed it. Twice. The last name it got is #curl. It stuck.

httpget was my first insight and lesson into HTTP and since then I have kept learning it.

httpget 0.1 was written by Rafael Sagula, who unfortunately is not with us anymore.

#curl #httpget

six #curl security reports received within the last eight hours

I'm not getting the sense that things are improving.

#curl

#curl

one of the most common security reports we get in #curl is claims of various CRLF injections where a user injects a CRLF into their own command lines and that's apparently "an attack".

We have documented this risk if you pass in junk in curl options but that doesn't stop the reporters from reporting this to us. Over and over.

Here's a recent one.

hackerone.com/reports/3418616


curl disclosed on HackerOne: SMTP CRLF Injection in curl/libcurl...

SMTP CRLF Injection Vulnerability in curl/libcurl ## Vulnerability ID: CURL-SMTP-CRLF-2024 ## CWE-93: Improper Neutralization of CRLF Sequences ### Executive Summary curl/libcurl contains a CRLF...
HackerOne
#curl

In the #curl security team, we get to exercise deep protocol knowledge into the bits for many protocols including version variations and exploring funny quirks we have for adapting to many 3rd party libraries as well as a thorough understanding of the C language, how ABIs work, OS/platform variations and the occasional CPU peculiarity. Did I mention build systems?

And that's only for the issues we received this weekend.

#curl

You'd think merging on average eight bugfixes per day during the last #curl release cycle we would slow down a little now.

5 days after the release we are at:

Bugfixes logged: 48 (9.43 per day)

#curl

#curl

#curl #rtmp

#mqtt #curl

In #curl land, @vsz made a CI job that builds curl with fil-C and it runs the tests fine. Just slightly limited due to lack of dependencies as they all need to be built with fil-C as well.

github.com/curl/curl/pull/1939…


GHA/linux: add minimal Fil-C build with tests by vszakats · Pull Request #19391 · curl/curl

Requirements for Fil-C: not to accidentally pick up system headers. E.g. from /usr/include on Linux. It can happen when any dependency is auto-detected on this header path. This makes Fil-C find t...
GitHub
#curl @vsz

#curl