There is a de facto environment variable CI=true that is enabled on CI platforms like GitHub, GitLab and Jenkins. Tools such as pip and yarn listen to this and make their output less chatty. In man...
1.Download curl.se using #curl built to use OpenSSL (that is over HTTPS in case Mastodon hides the scheme for you) 2. count number of allocations made with heaptrack 3. pause for gasping 4. double-check that curl only does 134 allocs itself, independently of the downloaded size 5. check the heaptrack number again
It is a somewhat common question to me: how do we write C in curl to make it safe and secure for billions of installations? Some precautions we take and decisions we make. There is no silver bullet, just guidelines.
Per project policy, we make ALL reports public. (For practical reasons we have so far focused on getting everything submitted during 2025 disclosed. Hackerone has no method to disclose in bulk or automated, so it is a highly manual and tedious process involving a lot of clicks per single report)
C mistakes among the vulnerabilities present in #curl code
(C mistakes are vulnerabilities that were caused by a mistake that "probably would not have been possible" had we not been using C for curl. Manually assessed for each case.)
For every moment in time, how many vulnerabilities of different severity were present in code. We know now because these vulnerabilities have been reported and fixed since then.
The peak is at 7.41.0 on 2015-02-25 with 85 vulnerabilities present!
I'm introducing limits per test case in #curl test suite to make sure we don't unintentionally accidentally suddenly use many more allocations or much more concurrent memory than we can allow.
The idea here is to set limits per test how many allocations and maximum amount of memory it is allowed to use. This is a means to make sure the number and total size of allocations are kept in che...
Commit f2ce6c4 among other things added the use of own library context instead of the default context. Default context has access to OpenSSL configuration file, own context doesn't have it.
The...
I'm pleased to announce that once again I have collected the results, generated the graphs and pondered over conclusions to make after the annual curl user survey.
Add a new commandline option --out-null that discards all response bytes into the void. Replaces non-portable use of '-o /dev/null' with more efficiency.
Feature earliest for 8.16.0
that's in particular important to keep in mind when looking at a graph like this, showing the number of known vulnerabilities per 1,000 lines of code in #curl over time:
Today I added the following paragraph to #curl's hackerone page informing about our bug-bounty program:
Reports are made public
All security reports that are submitted to the curl project are subject for disclosure once they have been dealt with and they are deemed "insensitive". We are an Open Source project for which transparency is important, which then includes showing the world all our security reports as well.
One of these rare chances to get your hands on #curl stickers materializes tomorrow in Rotterdam when I appear at the Joy of Coding conference with a load of stickers waiting for new homes.
@cr I don't have a lot of experience to compare with. Fastly sponsors this for us (making it entirely gratis for us, the #curl project) and their service has been just flawless so I have nothing but praise to give.
curl passes down the capath directly to the backends. OpenSSL will then delimiter-separate this path internally to support multiple directories (using its certificate hash scheme). However, the oth...
When the code was originally written, entry = NULL was supported. However, after 59e351a this check has became redundant. It will never succeed because the *entry = NULL; statement at the start of ...
curl supports getting built with eleven different TLS libraries. Six of these libraries are OpenSSL or forks of OpenSSL. Allow me to give you a glimpse of their differences, similarities and some insights into what it takes to support them all.
TIL #curl help categories. When invoked with cli flag '-h' curl can provide you infos about command-line flags related to certain categories, e.g. http, smtp, ... Thanks for that @bagder
