A common AI slop pattern in #curl reports we see is when the AI finds an internal function somewhere in libcurl and then generates a POC for the user that uses this internal function in a way that makes it misbehave/crash. But internally we don't use the function like that, and wouldn't, because then it fails.
Fixes #19228
The current code checks if a line starts with . which doesn't match the RFC spec. Per RFC 2449, the CAPA response terminator is a line containing only a single dot (plus CRLF).
Whi...
🧠 Summary
Fixes a double free in free_config_fields() .
🔍 Details
Double free bug in src/tool_cfgable.c.
At lines 104–105 and 187–188, config->proto_str and config->proto_redir_str are each ...
Curl is one of the last callers of PKCS12_PBE_add(). It has been a noop since OpenSSL 0.9.8k (2006) stubbed it out when moving the built-in PBE algorithms to a static table:
openssl/openssl@b8f702a
I have had multiple persons tell me recently that they truly hesitated and made really sure they didn't submit slop before they filed their first security reports to #curl.
Meaning: public shaming seems to at least partially work. Banning, taunting and ridiculing the fools works as a reminder for people to maybe think again and make sure.
In November 2022, after I had been keeping track and adding names to this slide for a few years already, we could boast about curl having run on 89 different operating systems and only one year later we celebrated having reached 100 operating systems…
#curl gets some of the worst #AIslop "vulnerabilities" reported to it via Hackerone: Here we have a fake 90s exploit assuming executable stack and x86 arch. Someone seriously passing this as their own research is stupid beyond belief.
#curl binary builds at curl.se/windows/ started using a fresh public suffix list, and will bump them regularly. (no longer relying on the copy bundled with libpsl, which is almost 2 years old) github.com/curl/curl-for-win/c…
Replacing the public suffix list bundled with libpsl.
The original promise / expectation was that libpsl sees regular updates,
and a psl update with it, but the latest release is soon to be 2 year...
At the AIxCC competition at DEF CON 33 earlier this year, teams competed against each other to find vulnerabilities in provided Open Source projects by using (their own) AI powered tools.
## Summary:
Buffer overflow vulnerability in curl's WebSocket implementation due to unsafe use of strcpy() in the handshake process. The vulnerability is located at lib/ws.c:1287 where...
The Royal Swedish Academy of Sciences (IVA, the same org that selects winners for three of the Nobel prize categories) awards me a gold medal 2025 for my work on curl.
Hi, I just want to let you know (and have there be a record) of the fact that Digital Extremes, a Canadian video-game-developer-turned-GaaS-developer, are using cURL (statically linked alongside Op...
Description:
This MR fixes an issue where the connection retry mechanism does not trigger when CONN_MAX_RETRIES + 1 attempts are reached, resulting in the error:
The root cause is that the retry co...
We're at 809 received #curl issues from "team AI tooling", out of which about 15% has turned into commits/fixes.
The false positive/we don't care rate went up significantly when the scan included tests and examples. We should simply exclude those parts from normal scans as they live by different rules.
If you're curious, here are 158 of Joshua's reported issues on #curl to give you an idea what we talk about.
We have manually gone trough them all and dismissed or addressed them. None of them has been deemed a security problem. Not all the PRs for the valid problems have been merged yet.
One of the recent AI generated bug reports for #curl quite impressively identifies mismatches between a function header's comment mentioning that an argument is optional, but the code uses it unconditionally.
This taking comments into account certainly allows for some extra magic the classic code analyzers can't do.
The kerberos5 library Heimdal is one of three GSS libraries curl support.
It has a memory leak triggered by the new test in #18917 and the project
seems mostly abandoned.
Drop support and steer use...
## Summary:
In curl’s OpenSSL backend, `ossl_get_channel_binding` retains a new reference to the server’s X509 certificate via `SSL_get1_peer_certificate` and never releases it. When Negotiate...
curl maintainers meet-up to discuss HTTP3, GnuTLS, wcurl and other things.Presenter:Samuel Henrique "samueloph" is a software developer focused on Debian, Li...
