Search
Items tagged with: cURL
If you've been wanting to speak securely to your garage door or whatever MQTTS capable devices you want to control with your #curl command lines, look no further:
(this is planned to merge in time for the March 2026 release)
github.com/curl/curl/pull/1941…
mqtt: initial support for MQTTS by bagder · Pull Request #19418 · curl/curl
test cases documentationGitHub
When you‘re low on RAM, I recommend using a recent #curl for your internet transfers.
It can shuffle gigabytes back and forth using a few MB of your memory (mostly used by openssl).
If you develop an application, you can use #libcurl to gain its benefits.
Need to shape your traffic? For example bc you run a streaming service? #libcurl does that for you for all HTTP versions.
Today, twenty-nine awesome years ago, httpget 0.2 shipped. Unfortunately, both the source and the changelog for this release have been lost in time (like tears in rain).
httpget was the precursor to what later would become #curl
The internet, and the web, was different in 1996.
Five years ago I started getting these emails about #curl from NASA. Months later we learned this probably was related to them using curl in the Mars Helicopter mission.
daniel.haxx.se/blog/2020/12/17…
curl supports NASA
Not everyone understands how open source is made. I received the following email from NASA a while ago. Subject: Curl Country of Origin and NDAA Compliance Hello, my name is [deleted] and I am a Supply Chain Risk Management Analyst at NASA.daniel.haxx.se
20,000 issues on GitHub
daniel.haxx.se/blog/2025/12/16…
#curl
20,000 issues on GitHub
The curl project moved over its source code hosting to GitHub in March 2010, but we kept the main bug tracker running like before - on Sourceforge. It took us a few years, but in 2015 we finally ditched the Sourceforge version fully.daniel.haxx.se
docs: fix time_posttransfer output unit as seconds by skatsubo · Pull Request #19986 · curl/curl
In a couple of places in docs time_posttransfer's output is mentioned as milliseconds while it is actually unit of seconds.GitHub
"Can #curl avoid to be in a future funnily named exploit that shakes the world?"
I blogged this eleven years ago and the story remains almost identical today...
daniel.haxx.se/blog/2014/12/15…
Can curl avoid to be in a future funnily named exploit that shakes the world?
During this year we've seen heartbleed and shellshock strike (and a few more big flaws that I'll skip for now).daniel.haxx.se
On this day **fifteen years ago**, we shipped #curl 7.21.3 that introduced both --resolve and --xattr.
curl.se/docs/manpage.html#--re…
Challenge: improve the speed of the #curl dotdot URL normalizer function. (without doing ridiculous things)
github.com/curl/curl/blob/28d2…
curl/lib/urlapi.c at 28d27570fa021011b8679344d090772fea49d0d1 · curl/curl
A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP...GitHub
With 20 days left to next #curl release
Stats so far this cycle:
Commits: 530 (total 37258)
Commit authors: 27, 9 new (total 1425)
Contributors: 52, 24 new (total 3559)
Bugfixes logged: 290 (7.99 per day)
We currently have three pending CVEs to be announced in the next #curl release (severity low + medium x 2)
All three found with AI powered tooling.
So it is happening.
On this day six years ago, we learned that mr Robot curls:
daniel.haxx.se/blog/2019/12/10…
Exactly three years later, still this date, we found a #curl sighting in the movie Silk Road:
daniel.haxx.se/blog/2022/12/10…
Mr Robot curls
The Mr Robot TV series features a security expert and hacker lead character, Elliot. Season 4, episode 8 Vasilis Lourdas reported that he did a "curl sighting" in the show and very well I took a closer peek and what do we see some 37 minutes 36 secon…daniel.haxx.se
⭐ ⭐ ⭐ ⭐ ⭐
The #curl repo on GitHub surpassed 40K stars: github.com/curl/curl
⭐ ⭐ ⭐ ⭐ ⭐
GitHub - curl/curl: A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, T
A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP...GitHub
Remember the AIxCC competition? After lots of research and triaging, the conclusion has landed: not a single *real* problem was found in #curl.
My previous write-up on the rather lame injected problems they found:
daniel.haxx.se/blog/2025/10/22…
AIxCC curl details
At the AIxCC competition at DEF CON 33 earlier this year, teams competed against each other to find vulnerabilities in provided Open Source projects by using (their own) AI powered tools.daniel.haxx.se
formdata: validate callback is non-NULL before use by bagder · Pull Request #19858 · curl/curl
curl_formget() accepts a user-provided callback function but does not validate it is non-NULL before calling it. If a caller passes NULL, the function will crash with SIGSEGV. Add NULL check at the...GitHub
#curl 8.18.0-rc1 is here => curl.se/rc/
As always, we appreciate if you can take it for a spin and verify that there are no regressions for your use cases.
The pending release notes are here: curl.se/dev/release-notes.html
12 screenshots and one video. On a claimed #curl problem that even in the title says *test suite*
Beware of the strong AI smell on this one.
curl disclosed on HackerOne: Title: Use-After-Free in cURL Test...
**Title: Use-After-Free in cURL Test Suite via Improper Cleanup of Global Handle** ```c /*************************************************************************** * ...HackerOne
FIX: BUG: IPv6 CIDR notation in NO_PROXY variable or option by GenuaGSchulz · Pull Request #19828 · curl/curl
The Bug We noticed that using IPv6 CIDR-Notation in a NO_PROXY env var doesn't have the desired effect, contrary to what the documentation at https://everything.curl.dev/usingcurl/proxies/env.h...GitHub
A new Hackerone issue was submitted for #curl and I had it closed as not applicable within four minutes. A new personal record I believe.
(It will be disclosed asap.)
Today December 4, at 18:00 CET I will talk tiny #curl. With a bird-themed slide set!
us02web.zoom.us/webinar/regist…
Welcome! You are invited to join a webinar: tiny-curl 101: Secure Communication with a Small Footprint. After registering, you will receive a confirmation email about joining the webinar.
Join curl founder Daniel Stenberg on December 4th at 9 AM PT for a focused introduction to tiny-curl, the lightweight version of curl designed for resource-constrained environments and embedded users.Zoom
Reminder. #curl runs in all your devices. So I made a slide to show some of them.
(yeah, I've used and shown this slide numerous times before and I will probably do it again...)
Just confirmed: I'm coming to Oslo, Norway, in March 2026 for NDC security and I will talk... #curl
ndcsecurity.com/speakers/danie…
NDC Security Oslo 2026
NDC Security 2026 is a 4-Day Event for Software Developers with a focus on Security. 2-5 March 2026 - Radisson Blu Scandinavia Hotel.NDC
We keep pruning things off the #curl tree every once in a while. Here's what is next in line to get chopped: curl.se/dev/deprecate.html
If you have opinions on any of those, speak up on the mailing list asap.
over the weekend we did:
hackerone_count += 2;
Now at 142 submissions this year so far for #curl. Out of which 8 were confirmed actual vulnerabilities.
On Thursday next week (Dec 4) I will do a tiny #curl webinar. Sign up for it here: us02web.zoom.us/webinar/regist…
It will be made available on video after the fact.
tiny-curl is a libcurl flavor designed for the smaller devices. Same API. Same reliability. With some protocols and features cut out making a (much) smaller footprint. See curl.se/tiny/
Welcome! You are invited to join a webinar: tiny-curl 101: Secure Communication with a Small Footprint. After registering, you will receive a confirmation email about joining the webinar.
Join curl founder Daniel Stenberg on December 4th at 9 AM PT for a focused introduction to tiny-curl, the lightweight version of curl designed for resource-constrained environments and embedded users.Zoom
Someone invoked #curl on Windows powershell, saw a problem and reported it to us.
Yes. It was the dreaded alias. Again. Not a problem in "the real curl". I tried to get rid of this sorry thing, remember?
daniel.haxx.se/blog/2016/08/19…
Removing the PowerShell curl alias?
PowerShell is a spiced up command line shell made by Microsoft. According to some people, it is a really useful and good shell alternative.daniel.haxx.se
Interesting numbers.
#curl on my Linux machine can download a large file from http://localhost at 5.0GiB/sec. Pointing to the file:// version of the exact same file "only" increases the speed to .8.8GiB/sec.
If the service that I’m authenticating to uses basic auth, and I don’t want to store my passwords in a .netrc in my HOME or pass it in clear on the command-line, what are my best options?
@bagder
#curl #gnome_libsecret #infosec #LazyWeb