people are also often obsessed by C vs non-C vulnerabilities, and in #curl the share of mistakes that are related to the programming language keep shrinking (just over 40% now)
This is WAY lower than what is commonly reported as a the general percentage. (60-70% is commonly repeated)
For details on the #curl PSL vulnerability, check out the #hackerone report. And if you use libpsl, double-check that your use is correct: hackerone.com/reports/2212193
Two mentioned projects in this report in particular should check their code.
## Summary:
libcurl fails to normalize the `hostname` and `cookie_domain` parameters passed to `psl_is_cookie_domain_acceptable` function. As a result a malicious site can set a super cookie if the...
## Summary:
libcurl fails to normalize the `hostname` and `cookie_domain` parameters passed to `psl_is_cookie_domain_acceptable` function. As a result a malicious site can set a super cookie if the...
Two changes, two CVEs, 188 bugfixes. curl 8.5.0 is here and Daniel takes you through the news.(The video is a notch worse than usual due to technical difficu...
#curl 8.5.0 Windows binaries released. With faster CMake builds in "unity" mode, LibreSSL, smaller binaries, OpenSSF-recommended hardening options, and LLVM 17. (Same for Linux and macOS builds) /cc @bagder github.com/curl/curl-for-win/c…
Since 8.4.0_10:
- building curl with CMake UNITY mode (replacing GNU Make)
Since 8.4.0_9:
- LibreSSL 3.8.2 (replacing quictls)
Since 8.4.0_8:
- smaller x64 and x86 binaries ce5113aa3ca8c841a6d...
With my monster documentation patch I landed yesterday, #curl now has more than 90,000 lines of documentation in its git repository. That does not include everything curl, which is a separate thing: everything.curl.dev/ (and an additional almost 16,000 lines of docs)
Hello, are there any plans to build libcurl with OpenSSL v3.2's new QUIC API? OpenSSL v3.2 was officially released 11/23 (which supports QUIC client capabilities). In this way, libcurl doesn't need...
A talk given by Daniel Stenberg from wolfSSL at the 2023 Platform Summit in Stockholm.Everyone uses curl, the Swiss army knife of Internet transfers. Earlier...
The Encrypted Client Hello (ECH) mechanism draft-spec is a way to plug a few privacy-holes that remain in the Transport Layer Security (TLS) protocol that’s used as the security layer for the web.
GCC 14 introduces a new -Walloc-size included in -Wextra which gives:
src/tool_operate.c: In function ‘add_per_transfer’:
src/tool_operate.c:213:5: warning: allocation of insufficient size ‘1’ for ...
Windows projects included VC14, VC14.10, VC14.30 but not VC14.20.
OpenSSL and WolfSSL bat scripts mention VC14.20 so I don't suspect an underlying problem with this platform toolset.
Updated the te...
This change fixes a compiler warning with gcc-12.2.0 when -DCURL_DISABLE_BEARER_AUTH=ON is used.
/home/tox/src/curl/lib/http.c: In function 'Curl_http_input_auth':
/home/tox/src/curl/lib/http.c:114...
Query params with ?novalparam (i.e. no =) need to be given an empty value while canonicalising
From https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
When a request targ...
Tangential question that that thread has made me wonder: How do you decide what to put in the user surveys? I recently worked for someone creating a survey and the attention to detail in the design to try and get the most useful data there was mind boggling. Given how important #curl is, it makes me wonder how you do it?
After this patch we assume availability of getaddrinfo and
freeaddrinfo, first introduced in Windows XP. Meaning curl
now requires building for Windows XP as a minimum.
TODO: assume these also in a...
The slides = https://www.slideshare.net/DanielStenberg7/mastering-the-curl-command-linepdf0:00 Mastering the curl command line0:16 Daniel Stenberg0:36 curl s...
