I have found this issue when trying to use the new PKCS#11 provider support in curl.
I was getting the following error when trying to use a pkcs11 uri as a key, in curl 8.12.1:
* crypto provider no...
On March 6 2025 at 18:00 UTC, I am doing a curl roadmap webinar, talking through a set of features and things I want to see happen in curl during 2025. Figure out my local time.
## Summary:
[summary of the vulnerability]
There is a use after free in `curl_multi_perform` when DoH resolver timeouts and `CURLOPT_PROXY` is used (see reproducer and stack trace)
I found it via...
Without this, any usage of sendbuf_hds_len on a retried request is wrong. We noticed by getting debug callbacks with incorrect header len. We did not figure out how to trigger the retries in a test...
Adds support for specifying upload flags, to allow e.g. uploading mail via IMAP without the Seen flag. e.g. curl imap://example.com:993/MAILBOX -u 'user@example.com' --upload-file /some/fil...
Hi! 👋
A small quality-of-life improvement, I think.
Do tell if I'm missing something here, and there were any reason not to print out the conn->user value that ends-up used for the connectio...
Ten years ago on this day we went full GitHub model in #curl: pull-request style development. We have since handled over 10,700 PRs in an increasing amount of activity.
Pull requests and issues filed on github are most welcome! The curl project has been around for a long time by now and we've been through several different version control systems.
@thomas_klopf sometimes you must really want to get something done and put in the extra effort to make sure it happens. Being captain of the #curl ship takes me to many such places...
Recently there has been an interesting debate in the Open Source world where people have objected to being called "Suppliers" as in Supply Chain Security when you are but an Open Source developer offering your code to the world for free and at no cos…
Heading towards curl release number 266 we have decided to spice up our release cycle with release candidates in an attempt to help us catch regressions better earlier.
Daniel makes the curl 8.12.0 release. Shows how a curl release is done. This is the 264th curl release. Shows the scripts, the procedures and the general pro...
On March 6 2025 at 18:00 UTC, I am doing a curl roadmap webinar, talking through a set of features and things I want to see happen in curl during 2025. Figure out my local time.
closes #16468
This PR improves null check to avoid segfault when a certificate doesn't contain a public key.
infof_certstack is used for debug/information purposes so this PR doesn't create...
I think it builds on stable (or beta, at least), so there's no reason to use nightly. Also, use the minimal profile to skip installing the docs.
It probably won't make a difference (because...
Some people migrating from curl+openssl to a curl+gnutls notice that their --ciphers arguments simply are ignored. First, this is documented and not a bug. Fine. But some of these users have a need...
We are doing a rerun of last year's successful curl + distro online meeting. A two-hour discussion, meeting, workshop for curl developers and curl distro maintainers.
Follows-up b22f906, which added a new contributor with a different casing for "github" than the others.
Given that there hasn't been a release yet that adds this to the THANKS file, i...
Data without logs sure leaves us open for speculations. I took a quick look at what the curl.se website traffic situation looks like right now. Just as curiosity.
On March 21 2024 we had a curl distro meeting where people from at least ten different distros and curl project members had a video meeting and talked curl and distro related topics for a while.
Sometimes people think #curl is a simple little HTTP tool, while in reality there's a whole internet transfer machine in there supporting 28 protocols.
Daniel shows off the plumbing, related scripts and how to keep the #curl RELEASE-NOTES file in sync during development so that it is ready and in good shape at release time.
Daniel shows off the plumbing, related scripts and how to keep the curl RELEASE-NOTES file in sync during development so that it is ready and in good shape a...
I'm Daniel Stenberg, maintainer and lead developer in the curl project. I stream curl related stuff. Release presentations, curl development and related topics.
For educational purposes we disclose this recent hackerone report on #curl claiming its sprintf() implementation is bad because it can be made to deref a bad pointer when you use it incorrectly. You know, exactly how all sprintf() implementation work - by design.
This is not the first time we had this "flaw" reported. (I did not check the "AI slop" checkbox on this one)
## Summary:
A vulnerability has been identified in the curl library’s formatted output functions (specifically in curl_msnprintf and its related functions). When a malicious (attacker-controlled)...
