Less than ten hours left to respond to the #curl user survey of 2024 before I take it down

daniel.haxx.se/blog/2024/05/14…

WebSockets in #curl going non-experimental by September 2024

curl.se/mail/lib-2024-05/0035.…

Three years ago I made the questionable decision to mail #curl stickers to everyone who filled in a form within 24 hours. oboy, that was a lot of work...

daniel.haxx.se/blog/2021/05/28…

My BDFL guiding principles (for #curl)

daniel.haxx.se/blog/2024/05/27…

Currently filling in the #curl user survey. It’s by *far* my most favourite tool ever and I can’t imagine working with HTTP without it.

daniel.haxx.se/blog/2024/05/14…

Daniel's weekly report May 24, 2024

lists.haxx.se/pipermail/daniel…

#curl talk, 8.8.0, reproducible, ://, graphs, c-ares, survey, bonus, curl work

"On behalf of Google Open Source, I would like to thank you for your contribution to #Curl."

daniel.haxx.se/blog/2024/05/24…

There's this plan to have some students implement TLS 1.3 Early Data support in #curl

github.com/curl/curl/discussio…

Adding TLS 1.3 Early Data Support · curl curl · Discussion #13743

I plan on mentoring a summer project with a small team of undergrad students to add early data support to cURL over about 8 weeks starting in June. (#13528) I'd made a basic 8-week ish plan to help...

^GitHub

How to verify a #curl release

daniel.haxx.se/blog/2024/05/23…

How we are not the next xz.

#curl 8.8.0 is here

daniel.haxx.se/blog/2024/05/22…

A history of a logo with a colon and two slashes

daniel.haxx.se/blog/2024/05/21…

How the #curl logo got its colon slash slash.

“I could rewrite #curl”

Here's my collection of some less cheerful quotes to keep me firmly grounded. Blogged three years ago today:

daniel.haxx.se/blog/2021/05/20…

Remember to take the #curl user survey 2024 - if you can spare a few minutes.

daniel.haxx.se/blog/2024/05/14…

#curl, #Tor, dot onion and SOCKS

daniel.haxx.se/blog/2024/05/17…

On the #curl website, you can find 92 video presentations on all things curl: curl.se/docs/videos/

Almost 68 hours in total.

In the #curl project, being written in C, we always work on simplifying the code. One way is to use more internal helper functions and avoid direct use of some functions that are often involved in C mistakes/vulnerabilities.

To measure how this develops, we count number of these function calls used per every thousand lines of code. Over time.
In a graph.

In the #curl project, we spend 3.3 days/day on running tests - around 140,000 tests per commit/PR. In addition to what every developer runs in their own systems of course.

Our test failure rate in CI jobs is at 0.004%, which is annoyingly high when running this many tests.

Data from Dan Fandrich's curl up 2024 talk: youtube.com/watch?v=TxNdAm845T…

Test Clutch by Dan Fandrich - curl up 2024

Dan talks about his test results analytics system and the combat and struggle against flaky tests and failing CI jobs.

^YouTube

Cool bug 🪳

Incorrect Type Conversion in interpreting IPv4-mapped IPv6 addresses in #curl results in indeterminate SSRF #vulnerabilities.

hackerone.com/reports/2493548

curl disclosed on HackerOne: Incorrect Type Conversion in...

## Summary: Octal Type Handling of Errors in IPv4 Mapped IPv6 Addresses in curl allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that...

^HackerOne

Please consider donating a few minutes of your time and answer the #curl user survey 2024:

daniel.haxx.se/blog/2024/05/14…

This looks interesting

Hurl is a command line tool that runs HTTP requests defined in a simple plain text format.

It can chain requests, capture values and evaluate queries on headers and body response. Hurl is very versatile: it can be used for both fetching data and testing HTTP sessions.

Hurl makes it easy to work with HTML content, #REST / SOAP / GraphQL APIs, or any other XML / JSON based APIs.

(Built with #rustlang powered by #curl)

hurl.dev/

Twenty-six years ago on this day, we shipped #curl 4.4. Adding support for specifying the port number for the proxy given to the -x flag. Simpler times.

curl.se/changes.html#4_4

It has been a long time coming, but I've made it official:

"Daniel no longer answers questions on stackoverflow. Use a dedicated public curl forum for accurate and timely answers about anything #curl. "

(yes, speaking about myself in 3rd person)

stackoverflow.com/users/93747/…

User Daniel Stenberg

Stack Overflow | The World’s Largest Online Community for Developers

^{Stack Overflow}

@bagder Even high-end workstation synthesizers run #curl

This photo was taken from a Roland Fantom 6. I think it's using curl within the firmware update process.

1. do not assume that URLs will be treated the same cross user-agents.

2. do not assume that IPv4-mapped IPv6-addresses can be written in octal.

Another day. Another security report against #curl we could close.

hackerone.com/reports/2493548

curl disclosed on HackerOne: Incorrect Type Conversion in...

## Summary: Octal Type Handling of Errors in IPv4 Mapped IPv6 Addresses in curl allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that...

^HackerOne

"To me, the latest is the latest my OS provides me. If #curl maintainers dont care about pushing the latest into the OSes they support, it's not me to blame. I think curl maintainers should push Centos to provide the latest to all users. What's the purpose of you fixing multiple bugs and security holes if you dont spend time to make it available to the broader audience?"

We are obviously all just too lazy.

github.com/curl/curl/issues/13…

americanas.com.br immediately sends RST_STREAM · Issue #13546 · curl/curl

I did this The website americanas.com.br is the largest ecommerce in brazil after amazon.com. For some reason, simply requesting the main page returns with error. It's not a protection or any secur...

^GitHub