people are also often obsessed by C vs non-C vulnerabilities, and in #curl the share of mistakes that are related to the programming language keep shrinking (just over 40% now)
This is WAY lower than what is commonly reported as a the general percentage. (60-70% is commonly repeated)
For details on the #curl PSL vulnerability, check out the #hackerone report. And if you use libpsl, double-check that your use is correct: hackerone.com/reports/2212193
Two mentioned projects in this report in particular should check their code.
## Summary: libcurl fails to normalize the `hostname` and `cookie_domain` parameters passed to `psl_is_cookie_domain_acceptable` function. As a result a malicious site can set a super cookie if the...HackerOne
## Summary: libcurl fails to normalize the `hostname` and `cookie_domain` parameters passed to `psl_is_cookie_domain_acceptable` function. As a result a malicious site can set a super cookie if the...HackerOne
#curl 8.5.0
Two changes, two CVEs, 188 bugfixes. curl 8.5.0 is here and Daniel takes you through the news.(The video is a notch worse than usual due to technical difficu...YouTube
Since 8.4.0_10: - building curl with CMake UNITY mode (replacing GNU Make) Since 8.4.0_9: - LibreSSL 3.8.2 (replacing quictls) Since 8.4.0_8: - smaller x64 and x86 binaries ce5113aa3ca8c841a6d...GitHub
Welcome to #curl 8.5.0
daniel.haxx.se/blog/2023/12/06…
cookie mixed case PSL bypass: curl.se/docs/CVE-2023-46218.ht…
HSTS long file name clears contents: curl.se/docs/CVE-2023-46219.ht…
xcurl
I learned that "xCurl is a Microsoft Game Development Kit compliant implementation of the #libCurl API"
daniel.haxx.se/blog/2023/11/30…
#curl
Building #curl using #OpenSSL 3.2 #QUIC?
github.com/curl/curl/discussio…
Hello, are there any plans to build libcurl with OpenSSL v3.2's new QUIC API? OpenSSL v3.2 was officially released 11/23 (which supports QUIC client capabilities). In this way, libcurl doesn't need...GitHub
A talk given by Daniel Stenberg from wolfSSL at the 2023 Platform Summit in Stockholm.Everyone uses curl, the Swiss army knife of Internet transfers. Earlier...YouTube
#curl on 100 operating systems
aka "Why do I care so much about old legacy crap?"
daniel.haxx.se/blog/2023/11/14…
The Encrypted Client Hello (ECH) mechanism draft-spec is a way to plug a few privacy-holes that remain in the Transport Layer Security (TLS) protocol that’s used as the security layer for the web.jochensp (https://guardianproject.info)
GCC 14 introduces a new -Walloc-size included in -Wextra which gives: src/tool_operate.c: In function ‘add_per_transfer’: src/tool_operate.c:213:5: warning: allocation of insufficient size ‘1’ for ...GitHub
"On behalf of Google Open Source, I would like to thank you for your contribution to #curl"
daniel.haxx.se/blog/2023/11/11…
Windows projects included VC14, VC14.10, VC14.30 but not VC14.20. OpenSSL and WolfSSL bat scripts mention VC14.20 so I don't suspect an underlying problem with this platform toolset. Updated the te...GitHub
I've ordered 40 curl coasters I'm gonna give away to #curl contributors I meet.
daniel.haxx.se/blog/2023/11/03…
This change fixes a compiler warning with gcc-12.2.0 when -DCURL_DISABLE_BEARER_AUTH=ON is used. /home/tox/src/curl/lib/http.c: In function 'Curl_http_input_auth': /home/tox/src/curl/lib/http.c:114...GitHub
Query params with ?novalparam (i.e. no =) need to be given an empty value while canonicalising From https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html When a request targ...GitHub
xref: https://curl.se/changes.html#7_70_0 related issue: #6844GitHub
and hey, look at this:
HTTP3: ngtcp2 builds are no longer experimental
One step closer to HTTP/3 support in shipped #curl binaries.
github.com/curl/curl/pull/1223…
The other HTTP/3 backends are still experimental.GitHub
Fixes ZD#16824. Customer is using a strict compiler which requires default cases for all switch statements.GitHub
Starting soon, you might need Windows XP or later to run #curl on Windows... Yes, the XP that was introduced in 2001.
github.com/curl/curl/pull/1222…
After this patch we assume availability of getaddrinfo and freeaddrinfo, first introduced in Windows XP. Meaning curl now requires building for Windows XP as a minimum. TODO: assume these also in a...GitHub
"mastering the #curl command line" has been viewed 12,000 times in less than two months.
The slides = https://www.slideshare.net/DanielStenberg7/mastering-the-curl-command-linepdf0:00 Mastering the curl command line0:16 Daniel Stenberg0:36 curl s...YouTube
