Search
Items tagged with: CURL
#curl 8.16.0
curl 8.16.0 with Daniel Stenberg
Daniel presents the security vulnerabilities, the changes, bugfixes in 8.16.0 and what might possibly be coming next.YouTube
#curl 8.16.0 was just released:
daniel.haxx.se/blog/2025/09/10…
I will live-stream a release presentation at 10:00 CEST on twitch
curl 8.16.0
Welcome to one of the more feature-packed curl releases we have had in a while. Exactly eight weeks since we shipped 8.15.0.daniel.haxx.se
There's going to be more speak about AIs finding genuine security problems soon.
Google Big Sleep found one in #curl that we reveal tomorrow.... in about eight hours. (but no, we don't know how much was AI and how much was human or how many false positives they had to wade through to get there etc maybe they will let us know later?)
if there ever is a major incident in #curl, we now have a documented approach on how to work through it
daniel.haxx.se/blog/2025/09/09…
preparing for the worst
One of these mantras I keep repeating is how we in the curl project keep improving, keep polishing and keep tightening every bolt there is.daniel.haxx.se
Working on a way to have #curl -w able to output the contents of all headers with a set name even from a redirect-"chain":
github.com/curl/curl/pull/1849…
write-out: make %header{} able to output *all* occurances of a header by bagder · Pull Request #18491 · curl/curl
By appending :all:[separator] to the header name. The [separator] string is output between each header value if there are more than one to output. Test 764 verifies Idea-by: kapsiR on github Ref: #...GitHub
About that enhanced WebSocket support in the next curl release, e.g. next Wednesday:
#curl #websocket
eissing.org/icing/posts/curl-w…
websocket in curl
WebSocket has been supported by curl as a non-experimental feature since version 8.11.0 (November 6 2024). With the upcoming release of version 8.16.0, we are taking it a step further.icing's blog
major incident section added to the #curl vulnerability disclosure policy
github.com/curl/curl/pull/1848…
by @jimfuller
In this newly disclosed #curl security report it is painfully obvious how the user's "clever" idea of using an AI to write the report made the report into a impenetrable wall of text instead of simply stating the problem in a few coherent paragraphs.
curl disclosed on HackerOne: libcurl: Host-Only Cookies Leak to...
libcurl canonicalizes numeric IPv4 hostnames during URL parsing and redirect handling (example: 127.000.000.001 to 127.0.0.1). When a host-only cookie (no Domain= attribute) is set, it is stored in...HackerOne
Having ongoing discussions about URL parsing differences as a basis for a #curl security vulnerability report made me check when I wrote my "my URL isn't your URL" blog post.
*Nine years ago*. And we have not made a single move towards a solution in all this time.
daniel.haxx.se/blog/2016/05/11…
My URL isn’t your URL
When I started the precursor to the curl project, httpget, back in 1996, I wrote my first URL parser. Back then, the universal address was still called URL: Uniform Resource Locators. That spec was published by the IETF in 1994.daniel.haxx.se
Digital Extremes violate the #cURL license?
github.com/curl/curl/discussio…
If they do, that's a shame but there's not a lot I can do. Anyone who can verify this claim? (probably by scanning the binaries for known names or similar)
Digital Extremes violate the cURL license · curl curl · Discussion #18474
Hi, I just want to let you know (and have there be a record) of the fact that Digital Extremes, a Canadian video-game-developer-turned-GaaS-developer, are using cURL (statically linked alongside Op...GitHub
Today is exactly twelve years ago since we created the lib/http2.c source file in the #curl source tree, and doing HTTP would never be the same again.
The paradigm shift going from one transfer per connection to possibly multiple transfers per connection was massive and took many years until most of the bugs were ironed out.
On September 28, I will speak at #EuroBSDCon in Zagreb Croatia.
But more importantly, I will bring #curl stickers.
docs: fix typo (staring -> starting) by ffried · Pull Request #18450 · curl/curl
I noticed the typo in the --retry-max-time docs and decide to do a quick search for staring which lead to three more places where this typo made its way into the docs.GitHub
In the curl release after the next, there is a nice feature coming for event-based applications: notifications.
Some numbers on possible performance/cpu use improvements in the PR, ymmv.
#curl
github.com/curl/curl/pull/1843…
multi notifications by icing · Pull Request #18432 · curl/curl
An implementation of the discussion #17817, adding a "notification" feature to the multi handle. Notification types INFO_READ and EASY_DONE implemented Notification types expected to gro...GitHub
curl_ngtcp2 handshake timeout should be equal to --connect-timeout by XCas13 · Pull Request #18431 · curl/curl
Default handshake timeout is hardcoded (10 seconds) and doesn't respect --connect-timeout parameter. In some cases 10 seconds can be not enough or too long to "establish a connection"...GitHub
Adding openHiTLS as a New Cryptographic Backend for curl ? · curl curl · Discussion #18429
Hello curl community, I'd like to discuss the possibility of adding openHiTLS as a new cryptographic backend for curl. About openHiTLS openHiTLS is an open-source cryptographic library that provide...GitHub
#curl is dropping support for OpenSSL 1.x soon
daniel.haxx.se/blog/2025/08/28…
Dropping old OpenSSL
curl added support for OpenSSL immediately when it was first released, as they switched away from SSLeay, in the late 1990s. We have since supported it over the decades as both OpenSSL and curl have developed.daniel.haxx.se
OpenSSL forks
A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP...GitHub
We are thirteen days away from next #curl release.
We have 17 changes and 225 bugfixes logged so far for this.
One low severity CVE will be published in sync with this release.
Thanks for flying curl.
Today we celebrate seven years of #curl shipping official Windows executables, thanks to @vsz's awesome work.
Blog post from back then:
daniel.haxx.se/blog/2018/08/27…
Blessed curl builds for Windows
The curl project is happy to introduce official and blessed curl builds for Windows for download on the curl web site. This means we have a set of recommended curl packages that we advice users on Windows to download.daniel.haxx.se
It took me 4 seconds to figure out that the grey elements are not partvof the graph (to indicate trends or something) but the curl logo.
#curl
"Yesterday, Wikipedia received over 45 million requests made with #curl, from 113 distinct curl releases."
Inspired by the BBC Tech report from @tdp_org, I looked at Wikipedia.
Yesterday, Wikipedia received over 45 million requests made with curl, from 113 distinct curl releases.
Of these, 32 million use the default UA (e.g. curl CLI). The other 13 million embed libcurl with a longer UA string containing curl (e.g. GuzzleHttp/PHP, PycURL, UnityPlayer)
At 12 million, most are curl/7.88.1.
Raw data, queries, and scrub/cleaning parameters:
gitlab.wikimedia.org/-/snippet…
docs: fix link CONTRIBUTE.md link by dulvui · Pull Request #18372 · curl/curl
Github interprets ../docs/CONTRIBUTE.md correctly when clicked from https://github.com/curl/curl/blob/master/.github/CONTRIBUTING.md, but does not if clicked on the repo landing page on https://git...GitHub