Items tagged with: curl

Search

Items tagged with: curl

#curl

#curl

Tor has introduced this new cool tool they call oniux. On the page announcing it they show off a #curl command line that hasn't worked for two years... since curl nowadays refuses to resolve .onion names like RFC 7686 says.

blog.torproject.org/introducin…


Introducing oniux: Kernel-level Tor isolation for any Linux app | Tor Project

Introducing oniux: Kernel-level Tor isolation for any Linux app. This torsocks alternative uses namespaces to isolate Linux applications over the Tor network and eliminate data leaks.
blog.torproject.org
#curl

#curl

and even before you ask: the graph of graphs in the #curl dashboard
A graph showing a growth of graphs to 87 over time, the number of individual plots has grown to 245. From January 2020 to mid 2025.
#curl

and: what share of the #curl code is considered how complex, over time
Graph showing an increasing share of code considered to be less complex over time.
#curl

It's been a while but here's a new graph I'm testing. Getting the complexity for every function in #curl then assigning that complexity for all lines in that function. This gives an "average complexity per source code line".

Then plot this score for curl over time.

The idea now being to push it down hard.

Source code line complexity. A plot that sits around 40-50 for about 23 years but then slightly starts to fall and is at ~25 nearing mid-2025.
#curl

#curl

#curl

yeah #curl has just 16 open issues. I'm a firm believer in not having a lot of open issues so we in fact never do. We work really hard on that. A project philosophy.
#curl

Darn, we missed the opportunity for a celebratory cake when we passed 5,000 closed issues in the #curl project
Closed: 5,006 (partial screenshot from GitHub issues for curl)
#curl

#curl

We have a CI job to spot unwanted utf8 letters in #curl PRs as we have noticed that GitHub will gladly show the for example (identical) Cyrillic version of a letter next to the Latin version in a diff and it is yes, entirely impossible for a human to spot the diff. I mean the diff is shown, but the significance of it is not.

Changing just a single letter like that in a URL hostname opens up for a world of grief.

GitHub diff output showing what looks like identical strings as being different. The right one has the Latin 'g' replaced with an Armenian 'g'.
#curl

Live the bleeding edge life, help out the #curl project and test the fresh 8.14.0-rc2 build: curl.se/rc/

(Do not use release candidates in production. They are work in progress. Use them for testing and verification only. Use actual releases in production.)

curl release candidates

curl.se
#curl

#curl

So the user actually found a memory leak in #curl (using a fuzzer) and reported it correctly. All good.

Then, in a follow up comment the user makes the ugly choice of trying to "help" us with this bug by asking an AI for help and proposing that as a solution.

And again it broke horribly and the AI made up a broken patch that did not even fix the problem.

Now that reporter is banned.

#curl

In 2025 so far, #curl has received 32 security vulnerability reports.

Out of those, two were confirmed genuine vulnerabilities. The latest one submitted January 23.

Six of them were AI slop (some of the others might as well be, but it isn't always easy to tell).

Ten of them we classified as "normal bugs" and took care of the normal way.

As a general rule, we spend several man hours on every incident but we don't actually track nor measure that.

#curl

#security #AI #tech #curl #hackerone #vulnerabilities #bugreports

neither would be required if someone sat down on the weekend and rewrote #curl in rust
#curl

Several people who reply on that LinkedIn post of mine help showing the reality distortion field - by proposing #curl "should just hire a security professional" instead of relying on a bug-bounty program.

Kind of amusing.

#curl

The Register gets the amount completely wrong, as we have paid over 86,000 USD in bug-bounties since 2019.

It's just not that visible on #curl's hackerone page since the payouts are manged by the Internet Bug Bounty since several years.

Update: I sent them a correction and they already updated the article!

#curl

Five years ago I got the chance to write "A book for my library is a book about my library". A #curl #book #review

daniel.haxx.se/blog/2020/05/07…


Review: curl programming

Title: Curl ProgrammingAuthor: Dan GookinISBN: 9781704523286Weight: 181 grams A book for my library is a book about my library! Not long ago I discovered that someone had written this book about curl and that someone wasn't me! (I believe this is a f…
daniel.haxx.se
#book #Review #curl

Over the last eleven years, 1,123 new authors have had their commits merged into the #curl git repository. The total number of authors thus grew 549% over this period.
#curl

#curl

#curl

This thing works by generating fake vulnerability reports. Here are some of the qualities of the HackerOne report 3125832 sent to #curl:
- It looks convincing at a glance, especially if you're not a subject matter expert.
- It's vague about actual repro steps. It makes it impossible for the victim project to reproduce the issue. For example, it makes up fake patches against non-existent, imaginary code.
- It refers to functions and methods that do not exist (in case someone tries to look for them). When confronted, the attacker refer to some old or new versions of components, using non-existent commit hashes.
- The report makes up some convincing functionality or names that are novel, but don't really exist.

An expert’s look at the report shows the number of discrepancies, but finding them takes time and effort. It requires attention from a subject matter expert, with limited resources.

The real exploit here is that the attacker (evilginx) exploits the fact that the victims (the orgs who paid the attacker money) don't have the capacity to perform thorough analysis and rather just pay up. TL;DR: It's cheaper to pay the bug bounty than hire an expert to perform true analysis.

Why didn't it work against the curl project? The attacker miscalculated badly. Curl project is not a company and has far greater capability in security response than your average org. Also they can smell #aislop miles away.

#curl #aislop

#AI #llm #curl #golem @daniel:// stenberg://

New input field added to Hackerone submissions for #curl
Did you use an AI to find the problem or generate this submission?
#curl

reporter submits a hackerone report against #curl that includes "a crash in function NNN" with lots of complicated details.

With the little detail that function NNN was made up and does not exist in real code.

#curl

#curl

#automation #webdevelopment #curl #debugging #techtips #webhooks

We got this "HIGH security problem" reported for #curl earlier today:

"The -o / --output parameter in cURL does not restrict or sanitize file paths. When passed relative traversal sequences (e.g., ../../), cURL writes files outside the current working directory, allowing arbitrary file overwrite. In automated or privileged environments (CI/CD, root containers), this leads to Remote Code Execution (RCE), privilege escalation, and supply chain risk."

Never a dull moment.

#curl

#curl #stockholm

Live the bleeding edge life and take curl-8.14.0-rc1 for a test spin for us!

Thanks to users testing our rc builds, we can reduce the regression risk once we ship the actual *real* release on May 28. Today I shipped the rc1. There will be two more rc builds before the release.

curl.se/rc/

Thanks for flying #curl

curl release candidates

curl.se
#curl

#curl

I'm not saying it is healthy but I seem to have (checks notes) *six* presentations for #curl up this coming weekend.

Currently they sum up to 182 slides.

#curl

My secret to doing these "this date on YYYY" posts is that I have a document with 300 events on 200 dates from #curl history in calendar date order.
#curl

I don't have the "adoption date" of #curl into other distros, so if you can dig out some I'd be happy to take notes!
#curl

On this day in 1998, we shipped #curl 4.3.

It would take another year until it was first adopted into #Debian.

#debian #curl

#curl