The #curl roadmap 2025 webinar happens later today:
daniel.haxx.se/blog/2025/02/25…
On March 6 2025 at 18:00 UTC, I am doing a curl roadmap webinar, talking through a set of features and things I want to see happen in curl during 2025. Figure out my local time.daniel.haxx.se
Let me give you another peek into the everyday work of the #curl security team. A reported UAF we deem not a security problem:
## Summary: [summary of the vulnerability] There is a use after free in `curl_multi_perform` when DoH resolver timeouts and `CURLOPT_PROXY` is used (see reproducer and stack trace) I found it via...HackerOne
Without this, any usage of sendbuf_hds_len on a retried request is wrong. We noticed by getting debug callbacks with incorrect header len. We did not figure out how to trigger the retries in a test...GitHub
"Three generations in my family have used and loved #curl! That’s the kind of reliability you don’t see often in software." / Kalyani Pawar
💚
Three years ago today, the --json option shipped in a #curl release for the first time.
daniel.haxx.se/blog/2022/02/02…
The curl "cockpit" is yet again extended with a new command line option: --json. The 245th command line option.daniel.haxx.se
say hello to #curl's 268th command line option --upload-flags (just merged in master)
Use it to set properties for your IMAP upload: answered, deleted, draft, flagged, or seen
Adds support for specifying upload flags, to allow e.g. uploading mail via IMAP without the Seen flag. e.g. curl imap://example.com:993/MAILBOX -u 'user@example.com' --upload-file /some/fil...GitHub
Hi! 👋 A small quality-of-life improvement, I think. Do tell if I'm missing something here, and there were any reason not to print out the conn->user value that ends-up used for the connectio...GitHub
I honestly cannot quite grasp that in 16 days #curl turns twenty-seven years old. 27. Years.
I was not even 27 when it was born.
I'm sensing strong renewed anti-GitHub sentiments among my (non-US based) peers these days as the US is seemingly in a free-fall towards chaos.
We will of course keep prioritizing security and safety for the #curl project and its contributors and will act immediately if the signs tell us we should.
Ten years ago on this day we went full GitHub model in #curl: pull-request style development. We have since handled over 10,700 PRs in an increasing amount of activity.
daniel.haxx.se/blog/2015/03/03…
Pull requests and issues filed on github are most welcome! The curl project has been around for a long time by now and we've been through several different version control systems.daniel.haxx.se
Today is also two years since "the nuget story" where I struggled to get a ten year old and vulnerable #curl version delisted:
daniel.haxx.se/blog/2023/03/02…
Recently there has been an interesting debate in the Open Source world where people have objected to being called "Suppliers" as in Supply Chain Security when you are but an Open Source developer offering your code to the world for free and at no cos…daniel.haxx.se
This PR fixes the comment issue in lib533. Test 546 also depends on lib533. curl/tests/data/test546 Lines 34 to 36 in 049352d ...GitHub
Adding #curl release candidates
daniel.haxx.se/blog/2025/02/28…
Heading towards curl release number 266 we have decided to spice up our release cycle with release candidates in an attempt to help us catch regressions better earlier.daniel.haxx.se
I know it is often repeated, but #curl is not a one man factory:
everything.curl.dev/project/de…
everything there is to know about curl, libcurl and the cURL projecteverything.curl.dev
everything there is to know about curl, libcurl and the cURL projecteverything.curl.dev
How to do a #curl release has now been viewed 20K times!
Daniel makes the curl 8.12.0 release. Shows how a curl release is done. This is the 264th curl release. Shows the scripts, the procedures and the general pro...YouTube
Join me for a small presentation next week on what we want for #curl in 2025...
daniel.haxx.se/blog/2025/02/25…
On March 6 2025 at 18:00 UTC, I am doing a curl roadmap webinar, talking through a set of features and things I want to see happen in curl during 2025. Figure out my local time.daniel.haxx.se
closes #16468 This PR improves null check to avoid segfault when a certificate doesn't contain a public key. infof_certstack is used for debug/information purposes so this PR doesn't create...GitHub
I think it builds on stable (or beta, at least), so there's no reason to use nightly. Also, use the minimal profile to skip installing the docs. It probably won't make a difference (because...GitHub
If you use a curl built with GnuTLS (debian sid, for example), specifying --ciphers now does nothing.
But some people have need of that option to work. Here you can chime in on how it should be supported:
github.com/curl/curl/discussio…
#curl
Some people migrating from curl+openssl to a curl+gnutls notice that their --ciphers arguments simply are ignored. First, this is documented and not a bug. Fine. But some of these users have a need...GitHub
A second #curl distro meeting 2025
daniel.haxx.se/blog/2025/02/24…
We are doing a rerun of last year's successful curl + distro online meeting. A two-hour discussion, meeting, workshop for curl developers and curl distro maintainers.daniel.haxx.se
Follows-up b22f906, which added a new contributor with a different casing for "github" than the others. Given that there hasn't been a release yet that adds this to the THANKS file, i...GitHub
A year ago the third #curl security audit completed, that time covering our HTTP/3 implementation.
It revealed **no** major discoveries or security problems.
daniel.haxx.se/blog/2024/02/23…
An external security audit focused especially on curl's HTTP/3 components and associated source code was recently concluded by Trail of Bits.daniel.haxx.se
For your amusement, let me quote a selected phrase from a #curl related hackerone comment I just submitted.
"IT IS AND WAS NOT A SECURITY PROBLEM. You are still wasting our time."
(The reporter reported he could access the git repository using .git on the curl.dev site. A static site with a public git repository. Shocking.)
Sorry, but sometimes things need to be said using all caps.
Sunday surprise!
A friend of mine found an old email from me dated January 17 1997
Attached in this mail was the #httpget 0.2 source code. Previously believed to be lost, now the oldest httpget code I have.
165 lines long. 110 lines code, 30 lines comments, 25 blank lines.
This morning, #curl was 174,854 lines of code, not counting blank lines but comments.
1248 times larger over 28 years.
#curl website traffic Feb 2025
Data without logs sure leaves us open for speculations.
daniel.haxx.se/blog/2025/02/22…
Data without logs sure leaves us open for speculations. I took a quick look at what the curl.se website traffic situation looks like right now. Just as curiosity.daniel.haxx.se
How about a #curl distros meeting again in 2025?
curl.se/mail/distros-2025-02/0…
The report from last year:
daniel.haxx.se/blog/2024/03/25…
On March 21 2024 we had a curl distro meeting where people from at least ten different distros and curl project members had a video meeting and talked curl and distro related topics for a while.daniel.haxx.se
Daniel shows off the plumbing, related scripts and how to keep the #curl RELEASE-NOTES file in sync during development so that it is ready and in good shape at release time.
Daniel shows off the plumbing, related scripts and how to keep the curl RELEASE-NOTES file in sync during development so that it is ready and in good shape a...YouTube
Wait, what? 😯
#curl can send email? Damn... @bagder I'm impressed (not that I didn't expected that), curl just keeps on giving. 😁
curl --url "smtp://$SMTP_SERVER:$SMTP_PORT" \
--ssl-reqd \
--mail-from "$SMTP_USER" \
--mail-rcpt "$EMAIL" \
--upload-file "$LOG_FILE" \
--user "$SMTP_USER:$SMTP_PASSWORD" \
--insecure
