Search
Items tagged with: Curl
reporter submits a hackerone report against #curl that includes "a crash in function NNN" with lots of complicated details.
With the little detail that function NNN was made up and does not exist in real code.
🔧 Curl is your best friend when testing webhooks! 🔧
Whether you're debugging or just need a quick test, curl has you covered.
#Webhooks #Curl #WebDevelopment #TechTips #Debugging #Automation
We got this "HIGH security problem" reported for #curl earlier today:
"The -o / --output parameter in cURL does not restrict or sanitize file paths. When passed relative traversal sequences (e.g., ../../), cURL writes files outside the current working directory, allowing arbitrary file overwrite. In automated or privileged environments (CI/CD, root containers), this leads to Remote Code Execution (RCE), privilege escalation, and supply chain risk."
Never a dull moment.
Don't forget to sign up for OpenInfra Forum on May 22 in #Stockholm to come and hear me blab about #curl. Or just extract some stickers from me and listen to the others instead.
https://www.meetup.com/openinfra-user-group-sweden/events/306139678/
OpenInfra Forum #19! 10 year anniversary! 121/150 currently attending.
**Update: 121/150 anmälda.** **Update: Efterfesten är full 45/45 anmälda. 7 i kö.** Hej allihopa! Goda nyheter! Open Infra Forum firar 10 år, så den härMeetup
Live the bleeding edge life and take curl-8.14.0-rc1 for a test spin for us!
Thanks to users testing our rc builds, we can reduce the regression risk once we ship the actual *real* release on May 28. Today I shipped the rc1. There will be two more rc builds before the release.
Thanks for flying #curl
Select TLS signature algorithms by stormshield-aflorea · Pull Request #16964 · curl/curl
Overview This allows the user to select which algorithms are presented in the signature_algorithms client hello extension. In this change, I add the CURLOPT_SSL_SIGNATURE_ALGORITHM option for curl_...GitHub
I'm not saying it is healthy but I seem to have (checks notes) *six* presentations for #curl up this coming weekend.
Currently they sum up to 182 slides.
Update TODO document by NeimadTL · Pull Request #17233 · curl/curl
The document has been updated by removing point 20.2 as is was done some time ago.GitHub
openssl: set the cipher string before doing private cert by bagder · Pull Request #17227 · curl/curl
... as this allows a set string to affect how OpenSSL deals with the private keys/certs.GitHub
Fix FTP accept connect by And-yW · Pull Request #17186 · curl/curl
When cf_tcp_accept_connect() is called and it sets up a connection it never indicates to the caller that the it's done.GitHub
I'm pondering adding a --location-mode flag to #curl and I could use your feedback!
https://github.com/curl/curl/pull/16543
curl: add --location-mode all/obey/first by bagder · Pull Request #16543 · curl/curl
Sets the "mode" for how to treat and use a custom HTTP method when following redirects. The idea being that a user can set location-mode: obey in their .curlrc or similar to get this func...GitHub
After six years and 500+ reports to the #curl bug-bounty, the stats that might be the coolest:
Average time to first response: 1h
Median time to first response: 0h
I read this like we replied to more than half of the reports within 30 minutes.
(and yeah, maybe HackerOne should offer higher time resolution)
First private email: hello, can you help me use libcurl to do [bla bla bla]
Me: sure, but unless you get a support contract you need to ask the question in a public #curl forum or mailing list.
Second private email: [inserts a long detailed question]
Me: OH HUMANITY
Ten years ago #curl visited the Nasdaq tower in New York
https://daniel.haxx.se/blog/2015/04/24/curl-on-the-nasdaq-tower/
curl on the NASDAQ tower
Apigee posted this lovely picture over at twitter. A curl command line on the NASDAQ tower.daniel.haxx.se
How the CNA thing is working out for #curl
https://daniel.haxx.se/blog/2025/04/24/how-the-cna-thing-is-working-out/
How the CNA thing is working out
Do you remember how curl became a CNA early last year? I was reminded that I had not really gotten back to this topic and explained to you, my dear readers, how it is and how it has worked out. This curl-being-a-CNA thing I mean.daniel.haxx.se
openssl-quic: Add missing include by jspricke · Pull Request #17156 · curl/curl
uint_hash, Curl_uint_hash_init and others are used in the file. Regression of 657aae7.GitHub
Updated #curl bug bounty stats, six years in:
520 reports
78 confirmed security vulnerabilities
104 "informative" reports, bugs that weren't vulnerabilities
11 marked as "AI slop"
The rest were just different kinds of not applicable. Some more crazy than others.
The latest confirmed curl vulnerability (CVE-2025-0725) was reported 90 days ago.
There is currently zero issues in our queue.
autotools: install shell completion files on cross build by samueloph · Pull Request #17159 · curl/curl
Before 8.13.0, it was not possible to generate them as it required calling the compiled binary, but this has been fixed. Forwarding the patch from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=...GitHub
tell me, what info/trend/data should I dig up or extract and include in my "state of #curl" talk at curl up in less than two weeks?
Here's the two hour talk I did last year:
I compared #curl today vs curl 8 years ago on malloc count + memory use to download a single 512MB file over cleartext HTTP:
129 mallocs, which is exactly the same.
Maximum allocated now: 135566. 17,681 bytes *less* than eight years ago.
Not everything has to go bloat over time I suppose.
And here's the old blog post: https://daniel.haxx.se/blog/2017/04/22/fewer-mallocs-in-curl/
Fewer mallocs in curl
Today I landed yet another small change to libcurl internals that further reduces the number of small mallocs we do.daniel.haxx.se
Clarify that CURLOPT_ERRORBUFFER buffer is read only after curl gains ownership of it by MaxEliaserAWS · Pull Request #17105 · curl/curl
Here is a documentation patch clarifying libcurl's guarantees with regards to the CURLOPT_ERRORBUFFER buffer. See #17100. Tested make -C docs.GitHub
One year anniversary for the #curl pillow "curl is just the hobby"
https://daniel.haxx.se/blog/2024/04/22/curl-is-just-the-hobby/
curl is just the hobby
Jan Gampe took things to the next level by actually making this cross-stitch out of the pattern I previously posted online. The flowers really gave it an extra level of charm I think.daniel.haxx.se
websocket: add option to disable auto-pong reply by viscruocco · Pull Request #16744 · curl/curl
Rebased #12220 with kind permission of @brimonk. Additionally added some more documentation and explicitly initialized CURLOPT_WS_OPTIONS values to their defaults.GitHub
Every topic I usually blab about here in a single weekend in Prague? That's basically #curl up 2025. Consider yourself invited. Only two weeks away now.
