Three year CURL sponsor
We are happy to sponsor the #CURL project for three years now. And maybe your company could also find and support an open source project?
Search
Items tagged with: Curl
Open source project curl is sick of users submitting “AI slop” vulnerabilities arstechni.ca/LAhpm #vulnerabilities #bugreports #hackerone #security #Tech #curl #AI
Open source project curl is sick of users submitting “AI slop” vulnerabilities
“One way you can tell is it’s always such a nice report,” founder tells Ars.Kevin Purdy (Ars Technica)
The Register gets the amount completely wrong, as we have paid over 86,000 USD in bug-bounties since 2019.
It's just not that visible on #curl's hackerone page since the payouts are manged by the Internet Bug Bounty since several years.
Update: I sent them a correction and they already updated the article!
Five years ago I got the chance to write "A book for my library is a book about my library". A #curl #book #review
daniel.haxx.se/blog/2020/05/07…
Review: curl programming
Title: Curl ProgrammingAuthor: Dan GookinISBN: 9781704523286Weight: 181 grams A book for my library is a book about my library! Not long ago I discovered that someone had written this book about curl and that someone wasn't me! (I believe this is a f…daniel.haxx.se
#curl up 2025 is over
daniel.haxx.se/blog/2025/05/06…
curl up 2025 is over
James Fuller was our man on the ground in Prague. He found the venue, organized most of the event and made it another curl up success.daniel.haxx.se
14 presentations from #curl up 2025 in a playlist: youtube.com/playlist?list=PLpX…
(two talks are missing because we botched the recordings)
This thing works by generating fake vulnerability reports. Here are some of the qualities of the HackerOne report 3125832 sent to #curl:
- It looks convincing at a glance, especially if you're not a subject matter expert.
- It's vague about actual repro steps. It makes it impossible for the victim project to reproduce the issue. For example, it makes up fake patches against non-existent, imaginary code.
- It refers to functions and methods that do not exist (in case someone tries to look for them). When confronted, the attacker refer to some old or new versions of components, using non-existent commit hashes.
- The report makes up some convincing functionality or names that are novel, but don't really exist.
An expert’s look at the report shows the number of discrepancies, but finding them takes time and effort. It requires attention from a subject matter expert, with limited resources.
The real exploit here is that the attacker (evilginx) exploits the fact that the victims (the orgs who paid the attacker money) don't have the capacity to perform thorough analysis and rather just pay up. TL;DR: It's cheaper to pay the bug bounty than hire an expert to perform true analysis.
Why didn't it work against the curl project? The attacker miscalculated badly. Curl project is not a company and has far greater capability in security response than your average org. Also they can smell #aislop miles away.
"Mir reicht's": #Curl-Entwickler spricht Machtwort gegen "KI-Schrott"
golem.de/news/mir-reicht-s-cur…
> Entwickler @bagder zeigt sich frustriert über durch KI generierte Bug-Reports. Reporter werden künftig einem Intelligenztest unterzogen.
Btw., #Golem garniert den Artikel mit einem KI generierten Bild 🤷
Aber das mit den Intelligenztest finde ich gut. Die Frage ist, ob man mit Captchas gegen LLMs ankommt.
Don't forget to sign up for OpenInfra Forum on May 22 in #Stockholm to come and hear me blab about #curl. Or just extract some stickers from me and listen to the others instead.
meetup.com/openinfra-user-grou…
OpenInfra Forum #19! 10 year anniversary! 121/150 currently attending.
**Update: 121/150 anmälda.** **Update: Efterfesten är full 45/45 anmälda. 7 i kö.** Hej allihopa! Goda nyheter! Open Infra Forum firar 10 år, så den härMeetup
Live the bleeding edge life and take curl-8.14.0-rc1 for a test spin for us!
Thanks to users testing our rc builds, we can reduce the regression risk once we ship the actual *real* release on May 28. Today I shipped the rc1. There will be two more rc builds before the release.
Thanks for flying #curl
Welcome Andrei Florea as #curl commit author 1373: github.com/curl/curl/pull/1696…
Select TLS signature algorithms by stormshield-aflorea · Pull Request #16964 · curl/curl
Overview This allows the user to select which algorithms are presented in the signature_algorithms client hello extension. In this change, I add the CURLOPT_SSL_SIGNATURE_ALGORITHM option for curl_...GitHub
Welcome NeimadTL as #curl commit author 1372: github.com/curl/curl/pull/1723…
Update TODO document by NeimadTL · Pull Request #17233 · curl/curl
The document has been updated by removing point 20.2 as is was done some time ago.GitHub
Welcome Corinna Brandt as #curl commit author 1371: github.com/curl/curl/pull/1722…
openssl: set the cipher string before doing private cert by bagder · Pull Request #17227 · curl/curl
... as this allows a set string to affect how OpenSSL deals with the private keys/certs.GitHub
Welcome Andreas Westin as #curl commit author 1370: github.com/curl/curl/pull/1718…
Fix FTP accept connect by And-yW · Pull Request #17186 · curl/curl
When cf_tcp_accept_connect() is called and it sets up a connection it never indicates to the caller that the it's done.GitHub
I'm pondering adding a --location-mode flag to #curl and I could use your feedback!
github.com/curl/curl/pull/1654…
curl: add --location-mode all/obey/first by bagder · Pull Request #16543 · curl/curl
Sets the "mode" for how to treat and use a custom HTTP method when following redirects. The idea being that a user can set location-mode: obey in their .curlrc or similar to get this func...GitHub
Ten years ago #curl visited the Nasdaq tower in New York
daniel.haxx.se/blog/2015/04/24…
curl on the NASDAQ tower
Apigee posted this lovely picture over at twitter. A curl command line on the NASDAQ tower.daniel.haxx.se
How the CNA thing is working out for #curl
daniel.haxx.se/blog/2025/04/24…
How the CNA thing is working out
Do you remember how curl became a CNA early last year? I was reminded that I had not really gotten back to this topic and explained to you, my dear readers, how it is and how it has worked out. This curl-being-a-CNA thing I mean.daniel.haxx.se
Welcome Jochen Sprickerhof as #curl commit author 1369: github.com/curl/curl/pull/1715…
openssl-quic: Add missing include by jspricke · Pull Request #17156 · curl/curl
uint_hash, Curl_uint_hash_init and others are used in the file. Regression of 657aae7.GitHub
Updated #curl bug bounty stats, six years in:
520 reports
78 confirmed security vulnerabilities
104 "informative" reports, bugs that weren't vulnerabilities
11 marked as "AI slop"
The rest were just different kinds of not applicable. Some more crazy than others.
The latest confirmed curl vulnerability (CVE-2025-0725) was reported 90 days ago.
There is currently zero issues in our queue.
Welcome Helmut Grohne as #curl commit author 1368: github.com/curl/curl/pull/1715…
autotools: install shell completion files on cross build by samueloph · Pull Request #17159 · curl/curl
Before 8.13.0, it was not possible to generate them as it required calling the compiled binary, but this has been fixed. Forwarding the patch from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=...GitHub
tell me, what info/trend/data should I dig up or extract and include in my "state of #curl" talk at curl up in less than two weeks?
Here's the two hour talk I did last year:
youtu.be/1X3IP-pvKTY?si=mGAquf…
The state of curl by Daniel Stenberg - curl up 2024
Daniel talks about curl in 2024. Where are are. How we do.YouTube
I compared #curl today vs curl 8 years ago on malloc count + memory use to download a single 512MB file over cleartext HTTP:
129 mallocs, which is exactly the same.
Maximum allocated now: 135566. 17,681 bytes *less* than eight years ago.
Not everything has to go bloat over time I suppose.
And here's the old blog post: daniel.haxx.se/blog/2017/04/22…
Fewer mallocs in curl
Today I landed yet another small change to libcurl internals that further reduces the number of small mallocs we do.daniel.haxx.se
Welcome Max Eliaser as #curl commit author 1367: github.com/curl/curl/pull/1710…
Clarify that CURLOPT_ERRORBUFFER buffer is read only after curl gains ownership of it by MaxEliaserAWS · Pull Request #17105 · curl/curl
Here is a documentation patch clarifying libcurl's guarantees with regards to the CURLOPT_ERRORBUFFER buffer. See #17100. Tested make -C docs.GitHub
One year anniversary for the #curl pillow "curl is just the hobby"
daniel.haxx.se/blog/2024/04/22…
curl is just the hobby
Jan Gampe took things to the next level by actually making this cross-stitch out of the pattern I previously posted online. The flowers really gave it an extra level of charm I think.daniel.haxx.se
Welcome Brian Chrzanowski as #curl commit author 1366: github.com/curl/curl/pull/1674… (thanks to Calvin Ruocco who made the PR)
websocket: add option to disable auto-pong reply by viscruocco · Pull Request #16744 · curl/curl
Rebased #12220 with kind permission of @brimonk. Additionally added some more documentation and explicitly initialized CURLOPT_WS_OPTIONS values to their defaults.GitHub
Every topic I usually blab about here in a single weekend in Prague? That's basically #curl up 2025. Consider yourself invited. Only two weeks away now.
Welcome Sören Tempel as #curl commit author 1365: github.com/curl/curl/pull/1703…
http: In alt-svc negotiation only allow supported HTTP versions by nmeum · Pull Request #17037 · curl/curl
Without this patch, the handling of the alt-svc header added via 279a477 (CC: @icing) in curl-8.13.0 attempts to connect to alternative services via different HTTP versions, even if the target HTTP...GitHub
Welcome Cole Helbling as #curl commit author 1364: github.com/curl/curl/pull/1703…
curl_get_line: handle lines ending on the buffer boundary by cole-h · Pull Request #17036 · curl/curl
Very similar to 9f8bdd0, but affects e.g. netrc file parsing. Suggested-by: Graham Christensen graham@grahamc.com I opted to write a Perl test for this, since I didn't know how dynamic the %HO...GitHub
curl HTTP/3 with OpenSSL 3.5 may be coming you way soon. Tatsuhiro, the maintainer of ngtcp2, did the (unnecessarly) heavy lifting to adapt and I did the comparatively few changes for it in curl.
Once ngtcp2 releases, we can merge that hopefully for the next curl release. If you want to test, see:
github.com/curl/curl/pull/1702…
#curl #http3
ngtcp2+openssl support by icing · Pull Request #17027 · curl/curl
With the new addition of QUIC support and the support in ngtcp2 main branch, make the necessary adjustments in curl to support this combination. add support in configure.ac to detect the feature O...GitHub
Summing up the #curl distro 2025 meet
daniel.haxx.se/blog/2025/04/10…
My kind of meeting.
Summing up the curl distro 2025 meet
On April 10 we ran the curl distro meeting 2025. A, by now, annual open meeting where maintainers from the curl project hang out with curl package maintainers for distros and other people who are interested.daniel.haxx.se
The annual #curl distro meeting happened. Thanks everyone who participated. Good discussions. Excellent feedback. I have some action items.
curl might just get yet a little better as a result of this!
