It's been a while but here's a new graph I'm testing. Getting the complexity for every function in #curl then assigning that complexity for all lines in that function. This gives an "average complexity per source code line".
Then plot this score for curl over time.
The idea now being to push it down hard.
The simple complicated setup: Supported #curl versions and end of life
daniel.haxx.se/blog/2025/05/14…
The other week we shipped the 266th curl release. This counter is perhaps a little inflated since it also includes the versions we did before we renamed it to curl, but still, there are hundreds of them.daniel.haxx.se
Instead of adding this information in another document, I now created a new one to maybe make it easier to find, discuss and to link. At a later point we should probably merge it into the CONTRIBUT...GitHub
We have a CI job to spot unwanted utf8 letters in #curl PRs as we have noticed that GitHub will gladly show the for example (identical) Cyrillic version of a letter next to the Latin version in a diff and it is yes, entirely impossible for a human to spot the diff. I mean the diff is shown, but the significance of it is not.
Changing just a single letter like that in a URL hostname opens up for a world of grief.
Live the bleeding edge life, help out the #curl project and test the fresh 8.14.0-rc2 build: curl.se/rc/
(Do not use release candidates in production. They are work in progress. Use them for testing and verification only. Use actual releases in production.)
Three year CURL sponsor
We are happy to sponsor the #CURL project for three years now. And maybe your company could also find and support an open source project?
“One way you can tell is it’s always such a nice report,” founder tells Ars.Kevin Purdy (Ars Technica)
The Register gets the amount completely wrong, as we have paid over 86,000 USD in bug-bounties since 2019.
It's just not that visible on #curl's hackerone page since the payouts are manged by the Internet Bug Bounty since several years.
Update: I sent them a correction and they already updated the article!
Five years ago I got the chance to write "A book for my library is a book about my library". A #curl #book #review
daniel.haxx.se/blog/2020/05/07…
Title: Curl ProgrammingAuthor: Dan GookinISBN: 9781704523286Weight: 181 grams A book for my library is a book about my library! Not long ago I discovered that someone had written this book about curl and that someone wasn't me! (I believe this is a f…daniel.haxx.se
#curl up 2025 is over
daniel.haxx.se/blog/2025/05/06…
James Fuller was our man on the ground in Prague. He found the venue, organized most of the event and made it another curl up success.daniel.haxx.se
14 presentations from #curl up 2025 in a playlist: youtube.com/playlist?list=PLpX…
(two talks are missing because we botched the recordings)
This thing works by generating fake vulnerability reports. Here are some of the qualities of the HackerOne report 3125832 sent to #curl:
- It looks convincing at a glance, especially if you're not a subject matter expert.
- It's vague about actual repro steps. It makes it impossible for the victim project to reproduce the issue. For example, it makes up fake patches against non-existent, imaginary code.
- It refers to functions and methods that do not exist (in case someone tries to look for them). When confronted, the attacker refer to some old or new versions of components, using non-existent commit hashes.
- The report makes up some convincing functionality or names that are novel, but don't really exist.
An expert’s look at the report shows the number of discrepancies, but finding them takes time and effort. It requires attention from a subject matter expert, with limited resources.
The real exploit here is that the attacker (evilginx) exploits the fact that the victims (the orgs who paid the attacker money) don't have the capacity to perform thorough analysis and rather just pay up. TL;DR: It's cheaper to pay the bug bounty than hire an expert to perform true analysis.
Why didn't it work against the curl project? The attacker miscalculated badly. Curl project is not a company and has far greater capability in security response than your average org. Also they can smell #aislop miles away.
"Mir reicht's": #Curl-Entwickler spricht Machtwort gegen "KI-Schrott"
golem.de/news/mir-reicht-s-cur…
> Entwickler @bagder zeigt sich frustriert über durch KI generierte Bug-Reports. Reporter werden künftig einem Intelligenztest unterzogen.
Btw., #Golem garniert den Artikel mit einem KI generierten Bild 🤷
Aber das mit den Intelligenztest finde ich gut. Die Frage ist, ob man mit Captchas gegen LLMs ankommt.
Don't forget to sign up for OpenInfra Forum on May 22 in #Stockholm to come and hear me blab about #curl. Or just extract some stickers from me and listen to the others instead.
meetup.com/openinfra-user-grou…
**Update: 121/150 anmälda.** **Update: Efterfesten är full 45/45 anmälda. 7 i kö.** Hej allihopa! Goda nyheter! Open Infra Forum firar 10 år, så den härMeetup
Live the bleeding edge life and take curl-8.14.0-rc1 for a test spin for us!
Thanks to users testing our rc builds, we can reduce the regression risk once we ship the actual *real* release on May 28. Today I shipped the rc1. There will be two more rc builds before the release.
Thanks for flying #curl
Overview This allows the user to select which algorithms are presented in the signature_algorithms client hello extension. In this change, I add the CURLOPT_SSL_SIGNATURE_ALGORITHM option for curl_...GitHub
The document has been updated by removing point 20.2 as is was done some time ago.GitHub
... as this allows a set string to affect how OpenSSL deals with the private keys/certs.GitHub
When cf_tcp_accept_connect() is called and it sets up a connection it never indicates to the caller that the it's done.GitHub
I'm pondering adding a --location-mode flag to #curl and I could use your feedback!
github.com/curl/curl/pull/1654…
Sets the "mode" for how to treat and use a custom HTTP method when following redirects. The idea being that a user can set location-mode: obey in their .curlrc or similar to get this func...GitHub
Ten years ago #curl visited the Nasdaq tower in New York
daniel.haxx.se/blog/2015/04/24…
Apigee posted this lovely picture over at twitter. A curl command line on the NASDAQ tower.daniel.haxx.se
How the CNA thing is working out for #curl
daniel.haxx.se/blog/2025/04/24…
Do you remember how curl became a CNA early last year? I was reminded that I had not really gotten back to this topic and explained to you, my dear readers, how it is and how it has worked out. This curl-being-a-CNA thing I mean.daniel.haxx.se
uint_hash, Curl_uint_hash_init and others are used in the file. Regression of 657aae7.GitHub
Updated #curl bug bounty stats, six years in:
520 reports
78 confirmed security vulnerabilities
104 "informative" reports, bugs that weren't vulnerabilities
11 marked as "AI slop"
The rest were just different kinds of not applicable. Some more crazy than others.
The latest confirmed curl vulnerability (CVE-2025-0725) was reported 90 days ago.
There is currently zero issues in our queue.
Before 8.13.0, it was not possible to generate them as it required calling the compiled binary, but this has been fixed. Forwarding the patch from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=...GitHub
tell me, what info/trend/data should I dig up or extract and include in my "state of #curl" talk at curl up in less than two weeks?
Here's the two hour talk I did last year:
youtu.be/1X3IP-pvKTY?si=mGAquf…
Daniel talks about curl in 2024. Where are are. How we do.YouTube
I compared #curl today vs curl 8 years ago on malloc count + memory use to download a single 512MB file over cleartext HTTP:
129 mallocs, which is exactly the same.
Maximum allocated now: 135566. 17,681 bytes *less* than eight years ago.
Not everything has to go bloat over time I suppose.
And here's the old blog post: daniel.haxx.se/blog/2017/04/22…
Today I landed yet another small change to libcurl internals that further reduces the number of small mallocs we do.daniel.haxx.se
Here is a documentation patch clarifying libcurl's guarantees with regards to the CURLOPT_ERRORBUFFER buffer. See #17100. Tested make -C docs.GitHub
One year anniversary for the #curl pillow "curl is just the hobby"
daniel.haxx.se/blog/2024/04/22…
Jan Gampe took things to the next level by actually making this cross-stitch out of the pattern I previously posted online. The flowers really gave it an extra level of charm I think.daniel.haxx.se
Rebased #12220 with kind permission of @brimonk. Additionally added some more documentation and explicitly initialized CURLOPT_WS_OPTIONS values to their defaults.GitHub
Every topic I usually blab about here in a single weekend in Prague? That's basically #curl up 2025. Consider yourself invited. Only two weeks away now.
