Add the ability to create Linux and macOS binaries. We are
keeping the name curl-for-win though. Non-Windows
binaries are experimental at this point and they are not
official curl binaries for thes...
Currently the verbose output does not include which algorithms are used for the signature and key exchange when using OpenSSL. Including the algorithms used will enable better debugging when workin...
Astonishing how good libcurl works. Thanks a lot for the work that so many projects can build on.
The PR adds a link to a V request lib that uses libcurl.
in the #curl project, we have already done more commits in 2023 than any single previous year since 2014. If we manage 152 more commits this year, 2023 will become the most-commits year since 2004, which remains our top year with 2102 commits in a single year.
Hello,
When I was reading libcurl docs, I noticed that there's a minor mistake in the curl_easy_option_next example manpage. In that specific example, curl_easy_option_by_next() has been used, howe...
When you're a project as big as curl sometimes you get some weird bug report and recently Daniel Stenberg got a completely AI generated made up report, pleas...
On this day, six years ago, I was awarded the Polhem Prize for my work on #curl - and went home with a gold medal that was handed to me by the King of Sweden. A night to remember.
After all, your work on #wolfSSL and #curl is something noone outside of the know even is aware of but millions pf people if not billions of devices rely on daily...
## Summary:
Curl CVE-2023-38545 vulnerability code changes are disclosed on the internet
## Steps To Reproduce:
To replicate the issue, I have searched in the Bard about this vulnerability. It...
The first HTTP/3 code landed in #curl in 2019. Now we might soon have it enabled for real and not "experimental" anymore: curl.se/mail/lib-2023-10/0023.…
This is a cosmetic fix of errors returned by cli tool (added in #8805)
(URL fragment links generated from headers in https://curl.se/docs/ipfs.html are lowercase)
This is documented as "optional" by Microsoft, I know. But, apparently, this was not optional on older Windows versions! On those version, the function verifiably fails with error ERROR_INVALID_ACC...
Hi there,
After the last upload of curl to Debian (8.4.0), samueloph noticed some lintian warnings about the manpages:
W: libcurl4-doc: groff-message troff::106: warning: macro '..'...
#curl bug-bounty award amounts, after the two most recent ones. Accumulated 68,320 USD now. The new curl record payout was 4660 USD for CVE-2023-38545.
Currently, curl allows users to specify absurd request rates that might be higher than the number of milliseconds in the unit (ex: curl --rate 3600050/h http://localhost:8080 does not error out des...
This week many engineering teams are looking for the immensely popular open source library 'curl' in order to get ahead of the CVE-2023-38545 vulnerability. Most of them are NOT going to see it in their SBOM even though they use it.
In this article I walk through why this is, places it might be hiding and questions to ask that can help uncover your use of it.
The slides = https://www.slideshare.net/DanielStenberg7/mastering-the-curl-command-linepdf0:00 Mastering the curl command line0:16 Daniel Stenberg0:36 curl s...
populate_binsettings now returns a negative value on error, instead of a huge positive value. Both places which call this function have been updated to handle this change in its contract.
The way p...
Daniel walks through the significant security fixes, changes and bugfixes done in the curl 8.4.0 release.0:00 intro0:16 agenda0:52 release 2521:02 participat...
Why did the #curl #CVE202338545 vulnerability hide from static analysis tools?
The main reason for this is the type of code structure in question. In general state engines are quite difficult for static analysis tools, since as the name implies the state of the various variables depend on runtime state changes.
The code attempts to determine whether it is safe to use the provided host name for remote resolution. Since the code does not function correctly with host names longer than 255 characters, it falls back to using “socks5://” protocol (local name resolution) if the host name is longer. When the name is too long, the code forces “local name resolution” by setting “socks5_resolve_local” variable to TRUE.
Unfortunately this “socks5_resolve_local” variable isn’t stored in the “socks_state” structure as it should have been. For each state “step” the initial value for the variable is determined with:
The INIT state then set the “socks5_resolve_local” to TRUE if the host name is too long:
/* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */ if(!socks5_resolve_local && hostname_len > 255) { infof(data, "SOCKS5: server resolving disabled for hostnames of " "length > 255 [actual len=%zu]", hostname_len); socks5_resolve_local = TRUE; }
But this check is *only* done in INIT state. When the state is anything else, the initial value is used.
Now, later CONNECT_RESOLVE_REMOTE state checks if remote name resolution should be used or not:
if(!socks5_resolve_local) { if (… sx->hostname is literal IPv6 address …) { … use ipv6 address direct … } else if (… sx->hostname is literal IPv4 address …) { … use ipv4 address direct … } else { socksreq[len++] = 3; socksreq[len++] = (char) hostname_len; /* one byte address length */ memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */ len += hostname_len; } } As “socks5_resolve_local” flag is FALSE for the excessively long hostname the “socksreq” heap buffer will be overflown by the memcpy call.
There is no obvious way for the static analysis tools to determine that “socks5_resolve_local” might be set incorrectly for some of the states. Runtime #fuzzing will find this flaw quite easily, but unfortunately no fuzzing was performed for this specific functionality.
I'm Daniel Stenberg, maintainer and lead developer in the curl project. I stream curl related stuff. Release presentations, curl development and related topics.
