Instead of adding this information in another document, I now created a new one to maybe make it easier to find, discuss and to link.
At a later point we should probably merge it into the CONTRIBUT...
We have a CI job to spot unwanted utf8 letters in #curl PRs as we have noticed that GitHub will gladly show the for example (identical) Cyrillic version of a letter next to the Latin version in a diff and it is yes, entirely impossible for a human to spot the diff. I mean the diff is shown, but the significance of it is not.
Changing just a single letter like that in a URL hostname opens up for a world of grief.
Live the bleeding edge life, help out the #curl project and test the fresh 8.14.0-rc2 build: curl.se/rc/
(Do not use release candidates in production. They are work in progress. Use them for testing and verification only. Use actual releases in production.)
Title: Curl ProgrammingAuthor: Dan GookinISBN: 9781704523286Weight: 181 grams A book for my library is a book about my library! Not long ago I discovered that someone had written this book about curl and that someone wasn't me! (I believe this is a f…
This thing works by generating fake vulnerability reports. Here are some of the qualities of the HackerOne report 3125832 sent to #curl: - It looks convincing at a glance, especially if you're not a subject matter expert. - It's vague about actual repro steps. It makes it impossible for the victim project to reproduce the issue. For example, it makes up fake patches against non-existent, imaginary code. - It refers to functions and methods that do not exist (in case someone tries to look for them). When confronted, the attacker refer to some old or new versions of components, using non-existent commit hashes. - The report makes up some convincing functionality or names that are novel, but don't really exist.
An expert’s look at the report shows the number of discrepancies, but finding them takes time and effort. It requires attention from a subject matter expert, with limited resources.
The real exploit here is that the attacker (evilginx) exploits the fact that the victims (the orgs who paid the attacker money) don't have the capacity to perform thorough analysis and rather just pay up. TL;DR: It's cheaper to pay the bug bounty than hire an expert to perform true analysis.
Why didn't it work against the curl project? The attacker miscalculated badly. Curl project is not a company and has far greater capability in security response than your average org. Also they can smell #aislop miles away.
Don't forget to sign up for OpenInfra Forum on May 22 in #Stockholm to come and hear me blab about #curl. Or just extract some stickers from me and listen to the others instead.
**Update: 121/150 anmälda.**
**Update: Efterfesten är full 45/45 anmälda. 7 i kö.**
Hej allihopa!
Goda nyheter! Open Infra Forum firar 10 år, så den här
Live the bleeding edge life and take curl-8.14.0-rc1 for a test spin for us!
Thanks to users testing our rc builds, we can reduce the regression risk once we ship the actual *real* release on May 28. Today I shipped the rc1. There will be two more rc builds before the release.
Overview
This allows the user to select which algorithms are presented in the signature_algorithms client hello extension.
In this change, I add the CURLOPT_SSL_SIGNATURE_ALGORITHM option for curl_...
Sets the "mode" for how to treat and use a custom HTTP method when following redirects.
The idea being that a user can set location-mode: obey in their .curlrc or similar to get this func...
Do you remember how curl became a CNA early last year? I was reminded that I had not really gotten back to this topic and explained to you, my dear readers, how it is and how it has worked out. This curl-being-a-CNA thing I mean.
Before 8.13.0, it was not possible to generate them as it required
calling the compiled binary, but this has been fixed.
Forwarding the patch from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=...
@kiyo I don't know and I don't care that much. If people want it added there it will be added. For users such as #curl, we add things like DoH ourselves anyway and it would be hard to use any such provided by c-ares because of the "different layer" it works on.
Jan Gampe took things to the next level by actually making this cross-stitch out of the pattern I previously posted online. The flowers really gave it an extra level of charm I think.
Rebased #12220 with kind permission of @brimonk.
Additionally added some more documentation and explicitly initialized CURLOPT_WS_OPTIONS values to their defaults.
Every topic I usually blab about here in a single weekend in Prague? That's basically #curl up 2025. Consider yourself invited. Only two weeks away now.
Without this patch, the handling of the alt-svc header added via 279a477 (CC: @icing) in curl-8.13.0 attempts to connect to alternative services via different HTTP versions, even if the target HTTP...
Very similar to 9f8bdd0, but affects e.g. netrc file parsing.
Suggested-by: Graham Christensen graham@grahamc.com
I opted to write a Perl test for this, since I didn't know how dynamic the %HO...
