Reminder. #curl runs in all your devices. So I made a slide to show some of them.
(yeah, I've used and shown this slide numerous times before and I will probably do it again...)
Search
Items tagged with: CURL
Just confirmed: I'm coming to Oslo, Norway, in March 2026 for NDC security and I will talk... #curl
ndcsecurity.com/speakers/danie…
NDC Security Oslo 2026
NDC Security 2026 is a 4-Day Event for Software Developers with a focus on Security. 2-5 March 2026 - Radisson Blu Scandinavia Hotel.NDC
We keep pruning things off the #curl tree every once in a while. Here's what is next in line to get chopped: curl.se/dev/deprecate.html
If you have opinions on any of those, speak up on the mailing list asap.
I was wondering whether #curl somehow does its own parsing of /etc/hosts, because it does something _very_ weird, and it seems it's c-ares who is guilty
over the weekend we did:
hackerone_count += 2;
Now at 142 submissions this year so far for #curl. Out of which 8 were confirmed actual vulnerabilities.
On Thursday next week (Dec 4) I will do a tiny #curl webinar. Sign up for it here: us02web.zoom.us/webinar/regist…
It will be made available on video after the fact.
tiny-curl is a libcurl flavor designed for the smaller devices. Same API. Same reliability. With some protocols and features cut out making a (much) smaller footprint. See curl.se/tiny/
Welcome! You are invited to join a webinar: tiny-curl 101: Secure Communication with a Small Footprint. After registering, you will receive a confirmation email about joining the webinar.
Join curl founder Daniel Stenberg on December 4th at 9 AM PT for a focused introduction to tiny-curl, the lightweight version of curl designed for resource-constrained environments and embedded users.Zoom
Someone invoked #curl on Windows powershell, saw a problem and reported it to us.
Yes. It was the dreaded alias. Again. Not a problem in "the real curl". I tried to get rid of this sorry thing, remember?
daniel.haxx.se/blog/2016/08/19…
Removing the PowerShell curl alias?
PowerShell is a spiced up command line shell made by Microsoft. According to some people, it is a really useful and good shell alternative.daniel.haxx.se
Interesting numbers.
#curl on my Linux machine can download a large file from http://localhost at 5.0GiB/sec. Pointing to the file:// version of the exact same file "only" increases the speed to .8.8GiB/sec.
So, curl doesn’t integrate with libsecret in any way? I assume that since there’s no discussion on the main mailing list of in the GitHub issues for it that I’m somehow being dumb thinking I want it.
If the service that I’m authenticating to uses basic auth, and I don’t want to store my passwords in a .netrc in my HOME or pass it in clear on the command-line, what are my best options?
@bagder
#curl #gnome_libsecret #infosec #LazyWeb
If the service that I’m authenticating to uses basic auth, and I don’t want to store my passwords in a .netrc in my HOME or pass it in clear on the command-line, what are my best options?
@bagder
#curl #gnome_libsecret #infosec #LazyWeb
I believe I have actually gotten several awards for my work on #curl for at least partly those reasons...
Welcome bttrfl as #curl commit author 1421: github.com/curl/curl/pull/1965…
speedcheck: do not trigger low speed cancelation on transfers paused with CURL_READFUNC_PAUSE by bttrfl · Pull Request #19653 · curl/curl
I have encountered an issue similar to #6358. When pausing an upload, it is not actually excluded from the low speed cancelation. The issue seems to be that the condition in the code only checks if...GitHub
On this day nine years ago, #curl received its first security audit report.
daniel.haxx.se/blog/2016/11/23…
curl security audit
"the overall impression of the state of security and robustness of the cURL library was positive." I asked for, and we were granted a security audit of curl from the Mozilla Secure Open Source program a while ago.daniel.haxx.se
The known risks when using #curl document is now available on the website: curl.se/docs/knownrisks.html
Ah, #curl still in use, I see:
> otool -L ~/.cargo/bin/rustup
...
/usr/lib/libcurl.4.dylib
and cargo itself is:
~/.cargo/bin/cargo -> rustup
We try to keep it all safe to the best of our abilities.😌
In today's edition of #ChatGPT imagines a non-existent #curl feature, much to @bagder 's dismay...
As passed along by my colleague who discovered this, the prompt included: "find a website that is actually hosted on physical infrastructure in Guam"
and ChatGPT suggested one on #Akamai but then suggested using the no-existent --no-cdn flag to skip straight to the origin. Please don't take this as a suggestion to implement such a feature. 🙂
A real Hackerone #curl report title!:
"Out-of-bounds read in *** potential crash. This is sharp, <reporter name>. We've got a real memory safety bug"
The AI is helpfully cheering the guy onwards to slopping. Of course, it is a false positive.
In 2007 I did a talk about #curl at the FSCONS conference. The video is lost in time but today I realized that FSF Europe is still hosting the torrent file.
Not too many seeders of that content left though... 😎
Friends don't let friends disable TLS server verification. (#curl is used, but the check is explicitly disabled by the app)
Welcome boingball as #curl commit author 1420: github.com/curl/curl/pull/1957…
AmigaOS: raise default tool stack size to 32768 bytes by boingball · Pull Request #19578 · curl/curl
This change increases the minimum stack cookie for the AmigaOS build of the curl tool. In testing, the older stack size of 16384 was causing curl to crash on heavy TLS loads These operations are si...GitHub
I have already been asked how we intend to celebrate #curl's 30th anniversary next November (counted from httpget's birth)
But no, I have no idea. I'll think about that in about 11 months
Started a discussion about adding a timer notification to libcurl. If you use the "multi" interface, maybe you have an opinion?
#curl
github.com/curl/curl/
discussions/19553
GitHub - curl/curl: A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, T
A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP...GitHub
bye bye OpenSSL v1.x support in #curl: github.com/curl/curl/commit/69…
openssl: bump minimum OpenSSL version to 3.0.0 · curl/curl@69c89bf
It also means that all supported OpenSSL versions and forks support TLSv1.3 after this patch. It reduces `openssl.c` size by more than 10%, or 400 LOC. Ref: #18822 Closes #18330GitHub
Welcome nait-furry as #curl commit author 1419: github.com/curl/curl/pull/1947…
Added example on using --limit-rate and --max-time together by nait-furry · Pull Request #19473 · curl/curl
Added a simple example to how --limit-rate and --max-time could be used together for controlled transfer windowGitHub
if you are not happy on your FIPS system with modern #curl treatment of TLSv1.3, why not simply refrain from using curl?
Or take an older version and maintain it yourself.💁🏻♂️
github.com/curl/curl/pull/1934…
openssl: respect system crypto policy for TLS max version by jacekmigacz · Pull Request #19342 · curl/curl
When no explicit --tls-max option is provided, curl should respect OpenSSL's system-wide crypto policy configuration instead of overriding it. Previously, curl called SSL_CTX_set_max_proto_vers...GitHub
Parsing integers in C. Aka "bye bye atoi".
daniel.haxx.se/blog/2025/11/13…
Parsing integers in C
In the standard libc API set there are multiple functions provided that do ASCII numbers to integer conversions. They are handy and easy to use, but also error-prone and quite lenient in what they accept and silently just swallow.daniel.haxx.se
Should the default #curl progress meter use 1000-based units instead of 1024-based ones ?
- 1000 (16%, 179 votes)
- 1024 (83%, 904 votes)
Twenty-nine years ago on this day, #httpget 0.1 was released.
I found the tool a few days later and within a few months I became the maintainer. We later renamed it. Twice. The last name it got is #curl. It stuck.
httpget was my first insight and lesson into HTTP and since then I have kept learning it.
httpget 0.1 was written by Rafael Sagula, who unfortunately is not with us anymore.
six #curl security reports received within the last eight hours
I'm not getting the sense that things are improving.
"#curl working as intended is a vulnerability"
Ok I paraphrased the title but this onslaught is a bit exhausting...
curl disclosed on HackerOne: Arbitrary Configuration File...
## Summary: The Arbitrary Configuration File Inclusion (ACFI) vulnerability was identified in the curl utility via the --config option. This flaw is a form of External Control of File Name...HackerOne
one of the most common security reports we get in #curl is claims of various CRLF injections where a user injects a CRLF into their own command lines and that's apparently "an attack".
We have documented this risk if you pass in junk in curl options but that doesn't stop the reporters from reporting this to us. Over and over.
Here's a recent one.
curl disclosed on HackerOne: SMTP CRLF Injection in curl/libcurl...
SMTP CRLF Injection Vulnerability in curl/libcurl ## Vulnerability ID: CURL-SMTP-CRLF-2024 ## CWE-93: Improper Neutralization of CRLF Sequences ### Executive Summary curl/libcurl contains a CRLF...HackerOne
In the #curl security team, we get to exercise deep protocol knowledge into the bits for many protocols including version variations and exploring funny quirks we have for adapting to many 3rd party libraries as well as a thorough understanding of the C language, how ABIs work, OS/platform variations and the occasional CPU peculiarity. Did I mention build systems?
And that's only for the issues we received this weekend.
You'd think merging on average eight bugfixes per day during the last #curl release cycle we would slow down a little now.
5 days after the release we are at:
Bugfixes logged: 48 (9.43 per day)