Follow-up to 4ccf3a3 #17783 Follow-up to b270fec #17858 Ref: #17857GitHub
readdir related fixes that came to notice during development of this pull request: #17440GitHub
python's built-in urllib module still doesn't support http2 (nor http3) in the year of 2025, luckily pycurl exists and supports modern standards
PycURL - Python interface to libcurl. Contribute to pycurl/pycurl development by creating an account on GitHub.GitHub
Keeping tabs on #curl's memory use
daniel.haxx.se/blog/2025/07/08…
One of the harder things to look out for in a software project is slow or gradual decay over a long period of time. Like if we gradually make a library 1% slower or use 2% more memory every other month.daniel.haxx.se
Adhere to CI=true environment variable to hide #curl's progress bar?
github.com/curl/curl/discussio…
There is a de facto environment variable CI=true that is enabled on CI platforms like GitHub, GitLab and Jenkins. Tools such as pip and yarn listen to this and make their output less chatty. In man...GitHub
1.Download curl.se using #curl built to use OpenSSL (that is over HTTPS in case Mastodon hides the scheme for you)
2. count number of allocations made with heaptrack
3. pause for gasping
4. double-check that curl only does 134 allocs itself, independently of the downloaded size
5. check the heaptrack number again
54,000
hm
I posted "writing C for #curl" just a short while ago, which is relevant to the recent "C mistake" graphs.
daniel.haxx.se/blog/2025/04/07…
It is a somewhat common question to me: how do we write C in curl to make it safe and secure for billions of installations? Some precautions we take and decisions we make. There is no silver bullet, just guidelines.daniel.haxx.se
You can follow along with the stream of security reports submitted to #curl by watching the ones we make public:
Per project policy, we make ALL reports public. (For practical reasons we have so far focused on getting everything submitted during 2025 disclosed. Hackerone has no method to disclose in bulk or automated, so it is a highly manual and tedious process involving a lot of clicks per single report)
C mistakes among the vulnerabilities present in #curl code
(C mistakes are vulnerabilities that were caused by a mistake that "probably would not have been possible" had we not been using C for curl. Manually assessed for each case.)
Vulnerability distribution present in #curl code
For every moment in time, how many vulnerabilities of different severity were present in code. We know now because these vulnerabilities have been reported and fixed since then.
The peak is at 7.41.0 on 2015-02-25 with 85 vulnerabilities present!
I'm introducing limits per test case in #curl test suite to make sure we don't unintentionally accidentally suddenly use many more allocations or much more concurrent memory than we can allow.
github.com/curl/curl/pull/1782…
The idea here is to set limits per test how many allocations and maximum amount of memory it is allowed to use. This is a means to make sure the number and total size of allocations are kept in che...GitHub
Commit f2ce6c4 among other things added the use of own library context instead of the default context. Default context has access to OpenSSL configuration file, own context doesn't have it. The...GitHub
The #curl user survey 2025 analysis is here.
daniel.haxx.se/blog/2025/07/03…
I'm pleased to announce that once again I have collected the results, generated the graphs and pondered over conclusions to make after the annual curl user survey.daniel.haxx.se
Look, a new #curl option proposed by @icing: '--out-null'
github.com/curl/curl/pull/1780…
Add a new commandline option --out-null that discards all response bytes into the void. Replaces non-portable use of '-o /dev/null' with more efficiency. Feature earliest for 8.16.0GitHub
One of my fav graphs of #curl improvement in recent years, is the one showing vulnerabilities reported separated between low/medium and high/critical.
The report frequency has gone up, but they are less critical these days.
I need to add this hashtag at the end because I am contributing in a project at my university.GitHub
I use the hashtag for a project at my universityGitHub
Today we celebrate #curl having been part of OSS-fuzz for eight years. Imagine the amount of junk libcurl APIs have received in this time...
Django has updated its security policies to reject AI-generated vulnerability reports that include fabricated or unverifiable content.Socket
Just for future reference and if anyone is curious: the seventeen AI slop security reports submitted to #curl (so far):
gist.github.com/bagder/07f7581…
Maybe this will come handy.
AI slop security reports submitted to curl. GitHub Gist: instantly share code, notes, and snippets.Gist
Today I added the following paragraph to #curl's hackerone page informing about our bug-bounty program:
Reports are made public
All security reports that are submitted to the curl project are subject for disclosure once they have been dealt with and they are deemed "insensitive". We are an Open Source project for which transparency is important, which then includes showing the world all our security reports as well.
(See hackerone.com/curl )
The curl Bug Bounty Program enlists the help of the hacker community at HackerOne to make curl more secure.HackerOne
"Flaws in any (#curl) script or compiled artifact which isn't installed by default is not considered to be security vulnerabilities."
github.com/curl/curl/pull/1776…
Flaws in any script or compiled artifact which isn't installed by default is not considered to be security vulnerabilities.GitHub
One of these rare chances to get your hands on #curl stickers materializes tomorrow in Rotterdam when I appear at the Joy of Coding conference with a load of stickers waiting for new homes.
Less importantly, I will also talk. joyofcoding.org/daniel_stenber…
A one-day conference that celebrates the art, craft, science but foremost the joy of software developmentjoyofcoding.org
