14 presentations from #curl up 2025 in a playlist: youtube.com/playlist?list=PLpX…
(two talks are missing because we botched the recordings)
Search
Items tagged with: curl
This thing works by generating fake vulnerability reports. Here are some of the qualities of the HackerOne report 3125832 sent to #curl:
- It looks convincing at a glance, especially if you're not a subject matter expert.
- It's vague about actual repro steps. It makes it impossible for the victim project to reproduce the issue. For example, it makes up fake patches against non-existent, imaginary code.
- It refers to functions and methods that do not exist (in case someone tries to look for them). When confronted, the attacker refer to some old or new versions of components, using non-existent commit hashes.
- The report makes up some convincing functionality or names that are novel, but don't really exist.
An expert’s look at the report shows the number of discrepancies, but finding them takes time and effort. It requires attention from a subject matter expert, with limited resources.
The real exploit here is that the attacker (evilginx) exploits the fact that the victims (the orgs who paid the attacker money) don't have the capacity to perform thorough analysis and rather just pay up. TL;DR: It's cheaper to pay the bug bounty than hire an expert to perform true analysis.
Why didn't it work against the curl project? The attacker miscalculated badly. Curl project is not a company and has far greater capability in security response than your average org. Also they can smell #aislop miles away.
"Mir reicht's": #Curl-Entwickler spricht Machtwort gegen "KI-Schrott"
golem.de/news/mir-reicht-s-cur…
> Entwickler @bagder zeigt sich frustriert über durch KI generierte Bug-Reports. Reporter werden künftig einem Intelligenztest unterzogen.
Btw., #Golem garniert den Artikel mit einem KI generierten Bild 🤷
Aber das mit den Intelligenztest finde ich gut. Die Frage ist, ob man mit Captchas gegen LLMs ankommt.
Don't forget to sign up for OpenInfra Forum on May 22 in #Stockholm to come and hear me blab about #curl. Or just extract some stickers from me and listen to the others instead.
meetup.com/openinfra-user-grou…
OpenInfra Forum #19! 10 year anniversary! 121/150 currently attending.
**Update: 121/150 anmälda.** **Update: Efterfesten är full 45/45 anmälda. 7 i kö.** Hej allihopa! Goda nyheter! Open Infra Forum firar 10 år, så den härMeetup
Live the bleeding edge life and take curl-8.14.0-rc1 for a test spin for us!
Thanks to users testing our rc builds, we can reduce the regression risk once we ship the actual *real* release on May 28. Today I shipped the rc1. There will be two more rc builds before the release.
Thanks for flying #curl
Welcome Andrei Florea as #curl commit author 1373: github.com/curl/curl/pull/1696…
Select TLS signature algorithms by stormshield-aflorea · Pull Request #16964 · curl/curl
Overview This allows the user to select which algorithms are presented in the signature_algorithms client hello extension. In this change, I add the CURLOPT_SSL_SIGNATURE_ALGORITHM option for curl_...GitHub
Welcome NeimadTL as #curl commit author 1372: github.com/curl/curl/pull/1723…
Update TODO document by NeimadTL · Pull Request #17233 · curl/curl
The document has been updated by removing point 20.2 as is was done some time ago.GitHub
Welcome Corinna Brandt as #curl commit author 1371: github.com/curl/curl/pull/1722…
openssl: set the cipher string before doing private cert by bagder · Pull Request #17227 · curl/curl
... as this allows a set string to affect how OpenSSL deals with the private keys/certs.GitHub
Welcome Andreas Westin as #curl commit author 1370: github.com/curl/curl/pull/1718…
Fix FTP accept connect by And-yW · Pull Request #17186 · curl/curl
When cf_tcp_accept_connect() is called and it sets up a connection it never indicates to the caller that the it's done.GitHub
I'm pondering adding a --location-mode flag to #curl and I could use your feedback!
github.com/curl/curl/pull/1654…
curl: add --location-mode all/obey/first by bagder · Pull Request #16543 · curl/curl
Sets the "mode" for how to treat and use a custom HTTP method when following redirects. The idea being that a user can set location-mode: obey in their .curlrc or similar to get this func...GitHub
Ten years ago #curl visited the Nasdaq tower in New York
daniel.haxx.se/blog/2015/04/24…
curl on the NASDAQ tower
Apigee posted this lovely picture over at twitter. A curl command line on the NASDAQ tower.daniel.haxx.se
How the CNA thing is working out for #curl
daniel.haxx.se/blog/2025/04/24…
How the CNA thing is working out
Do you remember how curl became a CNA early last year? I was reminded that I had not really gotten back to this topic and explained to you, my dear readers, how it is and how it has worked out. This curl-being-a-CNA thing I mean.daniel.haxx.se
Welcome Jochen Sprickerhof as #curl commit author 1369: github.com/curl/curl/pull/1715…
openssl-quic: Add missing include by jspricke · Pull Request #17156 · curl/curl
uint_hash, Curl_uint_hash_init and others are used in the file. Regression of 657aae7.GitHub
Updated #curl bug bounty stats, six years in:
520 reports
78 confirmed security vulnerabilities
104 "informative" reports, bugs that weren't vulnerabilities
11 marked as "AI slop"
The rest were just different kinds of not applicable. Some more crazy than others.
The latest confirmed curl vulnerability (CVE-2025-0725) was reported 90 days ago.
There is currently zero issues in our queue.
Welcome Helmut Grohne as #curl commit author 1368: github.com/curl/curl/pull/1715…
autotools: install shell completion files on cross build by samueloph · Pull Request #17159 · curl/curl
Before 8.13.0, it was not possible to generate them as it required calling the compiled binary, but this has been fixed. Forwarding the patch from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=...GitHub
tell me, what info/trend/data should I dig up or extract and include in my "state of #curl" talk at curl up in less than two weeks?
Here's the two hour talk I did last year:
youtu.be/1X3IP-pvKTY?si=mGAquf…
The state of curl by Daniel Stenberg - curl up 2024
Daniel talks about curl in 2024. Where are are. How we do.YouTube
I compared #curl today vs curl 8 years ago on malloc count + memory use to download a single 512MB file over cleartext HTTP:
129 mallocs, which is exactly the same.
Maximum allocated now: 135566. 17,681 bytes *less* than eight years ago.
Not everything has to go bloat over time I suppose.
And here's the old blog post: daniel.haxx.se/blog/2017/04/22…
Fewer mallocs in curl
Today I landed yet another small change to libcurl internals that further reduces the number of small mallocs we do.daniel.haxx.se
Welcome Max Eliaser as #curl commit author 1367: github.com/curl/curl/pull/1710…
Clarify that CURLOPT_ERRORBUFFER buffer is read only after curl gains ownership of it by MaxEliaserAWS · Pull Request #17105 · curl/curl
Here is a documentation patch clarifying libcurl's guarantees with regards to the CURLOPT_ERRORBUFFER buffer. See #17100. Tested make -C docs.GitHub
One year anniversary for the #curl pillow "curl is just the hobby"
daniel.haxx.se/blog/2024/04/22…
curl is just the hobby
Jan Gampe took things to the next level by actually making this cross-stitch out of the pattern I previously posted online. The flowers really gave it an extra level of charm I think.daniel.haxx.se
Welcome Brian Chrzanowski as #curl commit author 1366: github.com/curl/curl/pull/1674… (thanks to Calvin Ruocco who made the PR)
websocket: add option to disable auto-pong reply by viscruocco · Pull Request #16744 · curl/curl
Rebased #12220 with kind permission of @brimonk. Additionally added some more documentation and explicitly initialized CURLOPT_WS_OPTIONS values to their defaults.GitHub
Every topic I usually blab about here in a single weekend in Prague? That's basically #curl up 2025. Consider yourself invited. Only two weeks away now.
Welcome Sören Tempel as #curl commit author 1365: github.com/curl/curl/pull/1703…
http: In alt-svc negotiation only allow supported HTTP versions by nmeum · Pull Request #17037 · curl/curl
Without this patch, the handling of the alt-svc header added via 279a477 (CC: @icing) in curl-8.13.0 attempts to connect to alternative services via different HTTP versions, even if the target HTTP...GitHub
Welcome Cole Helbling as #curl commit author 1364: github.com/curl/curl/pull/1703…
curl_get_line: handle lines ending on the buffer boundary by cole-h · Pull Request #17036 · curl/curl
Very similar to 9f8bdd0, but affects e.g. netrc file parsing. Suggested-by: Graham Christensen graham@grahamc.com I opted to write a Perl test for this, since I didn't know how dynamic the %HO...GitHub
curl HTTP/3 with OpenSSL 3.5 may be coming you way soon. Tatsuhiro, the maintainer of ngtcp2, did the (unnecessarly) heavy lifting to adapt and I did the comparatively few changes for it in curl.
Once ngtcp2 releases, we can merge that hopefully for the next curl release. If you want to test, see:
github.com/curl/curl/pull/1702…
#curl #http3
ngtcp2+openssl support by icing · Pull Request #17027 · curl/curl
With the new addition of QUIC support and the support in ngtcp2 main branch, make the necessary adjustments in curl to support this combination. add support in configure.ac to detect the feature O...GitHub
Summing up the #curl distro 2025 meet
daniel.haxx.se/blog/2025/04/10…
My kind of meeting.
Summing up the curl distro 2025 meet
On April 10 we ran the curl distro meeting 2025. A, by now, annual open meeting where maintainers from the curl project hang out with curl package maintainers for distros and other people who are interested.daniel.haxx.se
The annual #curl distro meeting happened. Thanks everyone who participated. Good discussions. Excellent feedback. I have some action items.
curl might just get yet a little better as a result of this!
It looks like the #OpenSSL QUIC API might be supported in the coming #ngtcp2 1.12.0 release:
github.com/ngtcp2/ngtcp2/pull/…
This could be exciting for #curl users building with #OpenSSL ...
Add libngtcp2_crypto_ossl, osslclient and osslserver by tatsuhiro-t · Pull Request #1582 · ngtcp2/ngtcp2
Add libngtcp2_crypto_ossl, osslclient and osslserver libngtcp2_crypto_ossl is an ngtcp2 crypto helper library for OpenSSL >= 3.5. If libngtcp2_crypto_ossl is used, an application must make sur...GitHub
Welcome Johan Eliasson as #curl commit author 1360: github.com/curl/curl/pull/1699…
docs: fix incorrect shell substitution in docker run example command by jeliasson · Pull Request #16990 · curl/curl
Corrected the volume mount path in the Docker run example by replacing (pwd) with the shell substitution syntax $(pwd). This ensures the current working directory is properly mounted into the conta...GitHub
Reminder: we do the #curl distro meeting 2025 this Thursday!
github.com/curl/curl/wiki/curl…
curl distro discussion 2025
A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP...GitHub
The blog post from yday brought back this question: why aren't we using C99 in #curl? Here's my past response:
daniel.haxx.se/blog/2022/11/17…
Considering C99 for curl
tldr: we stick to C89 for now. The curl project builds on foundations that started in late 1996 with the tool named httpget.daniel.haxx.se
Remember, if you just take this day as a weekend, your #curl rewrite could be finished
(from the collection at daniel.haxx.se/blog/2021/05/20…)
“I could rewrite curl”
Collected quotes and snippets from people publicly sneezing off or belittling what curl is, explaining how easy it would be to make a replacement in no time with no effort or generally not being very helpful. These are statements made seriously.daniel.haxx.se