63 days since the last confirmed #curl vulnerability report.

Can you reset the counter?

You can help #curl by testing this final release candidate, rc3, before the real release happens next week:

curl.se/rc/

how to do a #curl release has been viewed 27K times!

youtu.be/7UQgcSWkSYw

How to do a curl release - with Daniel Stenberg

Daniel makes the curl 8.12.0 release. Shows how a curl release is done. This is the 264th curl release. Shows the scripts, the procedures and the general pro...

^YouTube

A very common email reply to me:

"#curl is not deemed important enough for a support deal. I will instead submit a public issue/discussion item about [the discussed matter]"

Two years ago we introduced the #libcurl header API, which also made it easier to extract headers with the #curl tool:

daniel.haxx.se/blog/2022/03/24…

Easier header-picking with curl

Okay you might ask, what's the news here? We've been able to get HTTP response headers with curl since virtually the stone age. Yes we have. Get the page and also show the headers: curl -i https://example.

^{daniel.haxx.se}

🛡️#Curl has been around for 26 years—and it’s still secure! How?

European Open Source Academy member, @bagder Stenberg, joined the latest episode of Security Weekly Productions, discussing how Curl and #libcurl have maintained security and reliability over decades.

A must-listen for #developers and #cybersecurity enthusiasts! 👨‍💻🔒

📺 Explore the episode : youtube.com/watch?v=0UavY_kKKic

👉 Learn more about the Academy : europeanopensource.academy/new…

#CyberSecurity #CurlProject #AppSec

Did you know that YOU can sponsor this year's #curl up? curl up is the annual curl developers meetup, this year taking place in May in Prague.

You can have your company name associated with the event while at the same time funding critical Internet infrastructure and one of the world's most widely used software components.

Just saying.

on this day, only twenty-five years ago, we shipped #curl 6.5 which introduced the fancy -w option

curl.se/ch/6.5.html

everything.curl.dev/usingcurl/…

I had forgotten this. Six years ago I researched the Refresh HTTP header field and came to the conclusion that #curl doesn't need to bother.

daniel.haxx.se/blog/2019/03/12…

Looking for the Refresh header

The other day someone filed a bug on curl that we don't support redirects with the Refresh header. This took me down a rabbit hole of Refresh header research and I've returned to share with you what I learned down there.

^{daniel.haxx.se}

We got another "critical vulnerability" on #curl reported. I figured you might enjoy it.

"The authentication mechanism in cURL does not properly restrict the number of failed authentication attempts, allowing an attacker to brute-force credentials"

Yawn. Away, away you go.

Two years since the big #curl 25 year celebration I'm looking at project numbers from back then and compare them with current ones.

19,800 more lines of code

23 additional man pages

428 new test cases

83 more CI jobs

229 new authors

30,800 USD more in bug bounties

18 new command line options

14 more operating systems

4557 commits more

We're not slowing down.

Raised an issue to discuss how to improve curl's MQTT message output.

github.com/curl/curl/issues/16…

Comments and insight requested to plan a possible PR as I can't see a way to fix it without it being a breaking change to current behaviour.

#curl #MQTT

No way to parse multiple MQTT messages from the output stream · Issue #16633 · curl/curl

I did this I ran curl mqtt://test.mosquitto.org/curl/test --output test.out -N Then in a different terminal curl mqtt://test.mosquitto.org/curl/test -d "helloWorld" curl mqtt://test.mosquitto.org/c...

^GitHub

Remember: when you run #curl shipped by Apple with the --cacert flag it won't behave like #curl does everywhere else. As I wrote about last year. I think they're doing it wrong. They think its fine.

daniel.haxx.se/blog/2024/03/08…

the Apple curl security incident 12604

tldr: Apple thinks it is fine. I do not. On December 28 2023, bugreport 12604 was filed in the curl issue tracker. We get a lot issues filed most days so this fact alone was hardly anything out of the ordinary.

^{daniel.haxx.se}

#curl release candidate 1 for the pending release is here: curl.se/rc/

We'll appreciate if you take it for a spin and report any problems you find.

There was a question posed on the #curl IRC channel whether there's ever going to be a need to raise addressing or offsets from 64-bit to something larger, such as 128-bit.

I argue there is no need to do this. 64-bit can already address a very large amount of data. For example, many operating systems and filesystems have a limit of 2**64 for file sizes. But it is difficult to wrap your head around this; how much data can such a file really hold?

Some estimates (*) say that there's going to be around 181 ZB (zettabytes) of data in the world by the end of 2025.

This is only 9812 files if each file holds 2**64 bytes.

*) rivery.io/blog/big-data-statis…

Big data statistics: How much data is there in the world?

Data is growing at a faster rate than ever before. 90% percent of the world’s data was created in the last two years. And every two years, the volume of data across the world doubles in size.

^{Kevin Bartley (Rivery)}

Right now, we have less than ten open issues for the #curl project

github.com/curl/curl/issues

Issues · curl/curl

A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP...

^GitHub

#curl roadmap 2025

youtu.be/0vVTNm2q2vg

curl roadmap 2025 - with Daniel Stenberg

Things we may see added and done in curl during 2025.

^YouTube

At 21.4 days since the previous #curl release, we count merged in git since:

Bugfixes: 169 (7.91 per day)
Commit authors: 30, 12 new (total 1354)
Contributors: 42, 20 new (total 3363)
Commits: 262 (total 34545)

People are insane over here.

The #curl roadmap 2025 webinar happens later today:

daniel.haxx.se/blog/2025/02/25…

The curl roadmap webinar 2025

On March 6 2025 at 18:00 UTC, I am doing a curl roadmap webinar, talking through a set of features and things I want to see happen in curl during 2025. Figure out my local time.

^{daniel.haxx.se}

Let me give you another peek into the everyday work of the #curl security team. A reported UAF we deem not a security problem:

hackerone.com/reports/3022041

curl disclosed on HackerOne: Use after free (read) in...

## Summary: [summary of the vulnerability] There is a use after free in `curl_multi_perform` when DoH resolver timeouts and `CURLOPT_PROXY` is used (see reproducer and stack trace) I found it via...

^HackerOne

"Three generations in my family have used and loved #curl! That’s the kind of reliability you don’t see often in software." / Kalyani Pawar

💚

Three years ago today, the --json option shipped in a #curl release for the first time.

daniel.haxx.se/blog/2022/02/02…

curl dash-dash-json

The curl "cockpit" is yet again extended with a new command line option: --json. The 245th command line option.

^{daniel.haxx.se}

say hello to #curl's 268th command line option --upload-flags (just merged in master)

Use it to set properties for your IMAP upload: answered, deleted, draft, flagged, or seen