Items tagged with: curl

Search

Items tagged with: curl


#curl


#curl


Tor has introduced this new cool tool they call oniux. On the page announcing it they show off a #curl command line that hasn't worked for two years... since curl nowadays refuses to resolve .onion names like RFC 7686 says.

blog.torproject.org/introducin…

#curl


and even before you ask: the graph of graphs in the #curl dashboard
#curl


and: what share of the #curl code is considered how complex, over time
#curl


It's been a while but here's a new graph I'm testing. Getting the complexity for every function in #curl then assigning that complexity for all lines in that function. This gives an "average complexity per source code line".

Then plot this score for curl over time.

The idea now being to push it down hard.

#curl


#curl


yeah #curl has just 16 open issues. I'm a firm believer in not having a lot of open issues so we in fact never do. We work really hard on that. A project philosophy.
#curl


Darn, we missed the opportunity for a celebratory cake when we passed 5,000 closed issues in the #curl project
#curl


#curl


We have a CI job to spot unwanted utf8 letters in #curl PRs as we have noticed that GitHub will gladly show the for example (identical) Cyrillic version of a letter next to the Latin version in a diff and it is yes, entirely impossible for a human to spot the diff. I mean the diff is shown, but the significance of it is not.

Changing just a single letter like that in a URL hostname opens up for a world of grief.

#curl


Live the bleeding edge life, help out the #curl project and test the fresh 8.14.0-rc2 build: curl.se/rc/

(Do not use release candidates in production. They are work in progress. Use them for testing and verification only. Use actual releases in production.)

#curl


#curl


So the user actually found a memory leak in #curl (using a fuzzer) and reported it correctly. All good.

Then, in a follow up comment the user makes the ugly choice of trying to "help" us with this bug by asking an AI for help and proposing that as a solution.

And again it broke horribly and the AI made up a broken patch that did not even fix the problem.

Now that reporter is banned.

#curl


In 2025 so far, #curl has received 32 security vulnerability reports.

Out of those, two were confirmed genuine vulnerabilities. The latest one submitted January 23.

Six of them were AI slop (some of the others might as well be, but it isn't always easy to tell).

Ten of them we classified as "normal bugs" and took care of the normal way.

As a general rule, we spend several man hours on every incident but we don't actually track nor measure that.

#curl



neither would be required if someone sat down on the weekend and rewrote #curl in rust
#curl


Several people who reply on that LinkedIn post of mine help showing the reality distortion field - by proposing #curl "should just hire a security professional" instead of relying on a bug-bounty program.

Kind of amusing.

#curl


The Register gets the amount completely wrong, as we have paid over 86,000 USD in bug-bounties since 2019.

It's just not that visible on #curl's hackerone page since the payouts are manged by the Internet Bug Bounty since several years.

Update: I sent them a correction and they already updated the article!

#curl


Five years ago I got the chance to write "A book for my library is a book about my library". A #curl #book #review

daniel.haxx.se/blog/2020/05/07…


Over the last eleven years, 1,123 new authors have had their commits merged into the #curl git repository. The total number of authors thus grew 549% over this period.
#curl


#curl


#curl


This thing works by generating fake vulnerability reports. Here are some of the qualities of the HackerOne report 3125832 sent to #curl:
- It looks convincing at a glance, especially if you're not a subject matter expert.
- It's vague about actual repro steps. It makes it impossible for the victim project to reproduce the issue. For example, it makes up fake patches against non-existent, imaginary code.
- It refers to functions and methods that do not exist (in case someone tries to look for them). When confronted, the attacker refer to some old or new versions of components, using non-existent commit hashes.
- The report makes up some convincing functionality or names that are novel, but don't really exist.

An expert’s look at the report shows the number of discrepancies, but finding them takes time and effort. It requires attention from a subject matter expert, with limited resources.

The real exploit here is that the attacker (evilginx) exploits the fact that the victims (the orgs who paid the attacker money) don't have the capacity to perform thorough analysis and rather just pay up. TL;DR: It's cheaper to pay the bug bounty than hire an expert to perform true analysis.

Why didn't it work against the curl project? The attacker miscalculated badly. Curl project is not a company and has far greater capability in security response than your average org. Also they can smell #aislop miles away.



New input field added to Hackerone submissions for #curl
#curl


reporter submits a hackerone report against #curl that includes "a crash in function NNN" with lots of complicated details.

With the little detail that function NNN was made up and does not exist in real code.

#curl



We got this "HIGH security problem" reported for #curl earlier today:

"The -o / --output parameter in cURL does not restrict or sanitize file paths. When passed relative traversal sequences (e.g., ../../), cURL writes files outside the current working directory, allowing arbitrary file overwrite. In automated or privileged environments (CI/CD, root containers), this leads to Remote Code Execution (RCE), privilege escalation, and supply chain risk."

Never a dull moment.

#curl



Live the bleeding edge life and take curl-8.14.0-rc1 for a test spin for us!

Thanks to users testing our rc builds, we can reduce the regression risk once we ship the actual *real* release on May 28. Today I shipped the rc1. There will be two more rc builds before the release.

curl.se/rc/

Thanks for flying #curl

#curl


#curl


I'm not saying it is healthy but I seem to have (checks notes) *six* presentations for #curl up this coming weekend.

Currently they sum up to 182 slides.

#curl


My secret to doing these "this date on YYYY" posts is that I have a document with 300 events on 200 dates from #curl history in calendar date order.
#curl


I don't have the "adoption date" of #curl into other distros, so if you can dig out some I'd be happy to take notes!
#curl


On this day in 1998, we shipped #curl 4.3.

It would take another year until it was first adopted into #Debian.


#curl