Challenge: improve the speed of the #curl dotdot URL normalizer function. (without doing ridiculous things)
github.com/curl/curl/blob/28d2…
A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP...GitHub
With 20 days left to next #curl release
Stats so far this cycle:
Commits: 530 (total 37258)
Commit authors: 27, 9 new (total 1425)
Contributors: 52, 24 new (total 3559)
Bugfixes logged: 290 (7.99 per day)
We currently have three pending CVEs to be announced in the next #curl release (severity low + medium x 2)
All three found with AI powered tooling.
So it is happening.
On this day six years ago, we learned that mr Robot curls:
daniel.haxx.se/blog/2019/12/10…
Exactly three years later, still this date, we found a #curl sighting in the movie Silk Road:
daniel.haxx.se/blog/2022/12/10…
The Mr Robot TV series features a security expert and hacker lead character, Elliot. Season 4, episode 8 Vasilis Lourdas reported that he did a "curl sighting" in the show and very well I took a closer peek and what do we see some 37 minutes 36 secon…daniel.haxx.se
⭐ ⭐ ⭐ ⭐ ⭐
The #curl repo on GitHub surpassed 40K stars: github.com/curl/curl
⭐ ⭐ ⭐ ⭐ ⭐
A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP...GitHub
Remember the AIxCC competition? After lots of research and triaging, the conclusion has landed: not a single *real* problem was found in #curl.
My previous write-up on the rather lame injected problems they found:
daniel.haxx.se/blog/2025/10/22…
At the AIxCC competition at DEF CON 33 earlier this year, teams competed against each other to find vulnerabilities in provided Open Source projects by using (their own) AI powered tools.daniel.haxx.se
curl_formget() accepts a user-provided callback function but does not validate it is non-NULL before calling it. If a caller passes NULL, the function will crash with SIGSEGV. Add NULL check at the...GitHub
#curl 8.18.0-rc1 is here => curl.se/rc/
As always, we appreciate if you can take it for a spin and verify that there are no regressions for your use cases.
The pending release notes are here: curl.se/dev/release-notes.html
12 screenshots and one video. On a claimed #curl problem that even in the title says *test suite*
Beware of the strong AI smell on this one.
**Title: Use-After-Free in cURL Test Suite via Improper Cleanup of Global Handle** ```c /*************************************************************************** * ...HackerOne
The Bug We noticed that using IPv6 CIDR-Notation in a NO_PROXY env var doesn't have the desired effect, contrary to what the documentation at https://everything.curl.dev/usingcurl/proxies/env.h...GitHub
A new Hackerone issue was submitted for #curl and I had it closed as not applicable within four minutes. A new personal record I believe.
(It will be disclosed asap.)
Today December 4, at 18:00 CET I will talk tiny #curl. With a bird-themed slide set!
us02web.zoom.us/webinar/regist…
Join curl founder Daniel Stenberg on December 4th at 9 AM PT for a focused introduction to tiny-curl, the lightweight version of curl designed for resource-constrained environments and embedded users.Zoom
Reminder. #curl runs in all your devices. So I made a slide to show some of them.
(yeah, I've used and shown this slide numerous times before and I will probably do it again...)
Just confirmed: I'm coming to Oslo, Norway, in March 2026 for NDC security and I will talk... #curl
ndcsecurity.com/speakers/danie…
NDC Security 2026 is a 4-Day Event for Software Developers with a focus on Security. 2-5 March 2026 - Radisson Blu Scandinavia Hotel.NDC
We keep pruning things off the #curl tree every once in a while. Here's what is next in line to get chopped: curl.se/dev/deprecate.html
If you have opinions on any of those, speak up on the mailing list asap.
over the weekend we did:
hackerone_count += 2;
Now at 142 submissions this year so far for #curl. Out of which 8 were confirmed actual vulnerabilities.
On Thursday next week (Dec 4) I will do a tiny #curl webinar. Sign up for it here: us02web.zoom.us/webinar/regist…
It will be made available on video after the fact.
tiny-curl is a libcurl flavor designed for the smaller devices. Same API. Same reliability. With some protocols and features cut out making a (much) smaller footprint. See curl.se/tiny/
Join curl founder Daniel Stenberg on December 4th at 9 AM PT for a focused introduction to tiny-curl, the lightweight version of curl designed for resource-constrained environments and embedded users.Zoom
Someone invoked #curl on Windows powershell, saw a problem and reported it to us.
Yes. It was the dreaded alias. Again. Not a problem in "the real curl". I tried to get rid of this sorry thing, remember?
daniel.haxx.se/blog/2016/08/19…
PowerShell is a spiced up command line shell made by Microsoft. According to some people, it is a really useful and good shell alternative.daniel.haxx.se
Interesting numbers.
#curl on my Linux machine can download a large file from http://localhost at 5.0GiB/sec. Pointing to the file:// version of the exact same file "only" increases the speed to .8.8GiB/sec.
I have encountered an issue similar to #6358. When pausing an upload, it is not actually excluded from the low speed cancelation. The issue seems to be that the condition in the code only checks if...GitHub
On this day nine years ago, #curl received its first security audit report.
daniel.haxx.se/blog/2016/11/23…
"the overall impression of the state of security and robustness of the cURL library was positive." I asked for, and we were granted a security audit of curl from the Mozilla Secure Open Source program a while ago.daniel.haxx.se
Ah, #curl still in use, I see:
> otool -L ~/.cargo/bin/rustup
...
/usr/lib/libcurl.4.dylib
and cargo itself is:
~/.cargo/bin/cargo -> rustup
We try to keep it all safe to the best of our abilities.😌
In today's edition of #ChatGPT imagines a non-existent #curl feature, much to @bagder 's dismay...
As passed along by my colleague who discovered this, the prompt included: "find a website that is actually hosted on physical infrastructure in Guam"
and ChatGPT suggested one on #Akamai but then suggested using the no-existent --no-cdn flag to skip straight to the origin. Please don't take this as a suggestion to implement such a feature. 🙂
A real Hackerone #curl report title!:
"Out-of-bounds read in *** potential crash. This is sharp, <reporter name>. We've got a real memory safety bug"
The AI is helpfully cheering the guy onwards to slopping. Of course, it is a false positive.
In 2007 I did a talk about #curl at the FSCONS conference. The video is lost in time but today I realized that FSF Europe is still hosting the torrent file.
Not too many seeders of that content left though... 😎
Friends don't let friends disable TLS server verification. (#curl is used, but the check is explicitly disabled by the app)
