(See how I cleverly did not mention AI in the title!) You know we have seen more than our fair share of slop reports sent to the curl project so it seems only fair that I also write something about the state of AI when we get to enjoy some positive aspects of this technology. … Continue reading A new breed of analyzers →| daniel.haxx.se
We are dropping support for this feature in curl 8.17.0. Kerberos5 FTP to be exact. The last Kerberos support we had for FTP. Badness On September 16, 2025 we received a security report that accurately identified a possible stack based buffer overflow in the Kerberos FTP code that could allow a malicious FTP server cause … Continue reading Bye bye Kerberos FTP →| daniel.haxx.se
tldr: Apple thinks it is fine. I do not. On December 28 2023, bugreport 12604 was filed in the curl issue tracker. We get a lot issues filed most days so this fact alone was hardly anything out of the ordinary. We read the reports, investigate, ask follow-up questions to see what we can learn … Continue reading the Apple curl security incident 12604 →| daniel.haxx.se
Every curl security report starts out with someone submitting an issue to us on https://hackerone.com/curl. The reporter tells us what they suspect and what they think the problem is. This report is kept private, visible only to the curl security team and the reporter while we work on it. In recent months we have gotten … Continue reading From suspicion to published curl CVE →| daniel.haxx.se
In a world that is now gradually adopting HTTP/3 (which, as you know, is implemented over QUIC), the problem with the missing API for QUIC is still a key problem. There are a number of existing QUIC library implementation now since a few years back, and they are slowly maturing. The QUIC protocol became RFC … Continue reading The QUIC API OpenSSL will not provide →| daniel.haxx.se
Speaking the TCP protocol, we communicate between "ports" in the local and remote ends. Each of these port fields are 16 bits in the protocol header so they can hold values between 0 - 65535. (IPv4 or IPv6 are the same here.) We usually do HTTP on port 80 and we do HTTPS on port … Continue reading Pretending port zero is a normal one →| daniel.haxx.se
In August 16 2025 I did a keynote with this title on the FrOSCon conference in Bonn, Germany. The room held a few hundred seats and every single one was occupied with people also filling up the stairs and was standing along the walls. Awesome! https://www.youtube.com/watch?v=6n2eDcRjSsk See also my death by slop post for more … Continue reading AI slop attacks on the curl project →| daniel.haxx.se
Downloading data from a remote URL is probably the single most common operation people do with curl. Often, users then add various additional options to the command line to extract information from that transfer but may also decide that the actually fetched data is not interesting. Sometimes they don't get the accurate meta-data if the … Continue reading Output nothing with –out-null →| daniel.haxx.se
I often hear or see people claim that HTTP is a simple protocol. Primarily of course from people without much experience or familiarity with actual implementations. I think I personally also had thoughts in that style back when I started working with the protocol. After personally having devoted soon three decades on writing client-side code … Continue reading HTTP is not simple →| daniel.haxx.se
Welcome to another curl release. A shorter cycle this time so we did not have time to merge many changes: there is just one logged. See below. This is the 269th release featuring 269 command line options. Release presentation https://www.youtube.com/watch?v=O-JKlkXVURg Numbers the 269th release1 change42 days (total: 9,980)233 bugfixes (total: 12,282)334 commits (total: 35,572)0 new … Continue reading curl 8.15.0 →| daniel.haxx.se
I have previously blogged about the relatively new trend of AI slop in vulnerability reports submitted to curl and how it hurts and exhausts us. This trend does not seem to slow down. On the contrary, it seems that we have recently not only received more AI slop but also more human slop. The latter … Continue reading Death by a thousand slops →| daniel.haxx.se
I need to get myself a new laptop. My existing one is from 2017 and was already then not the most powerful one. It recently started to shut itself off when running on battery and during the two most recent curl up meetings it has proven itself to be rather sluggish and unable to save … Continue reading Sponsor my laptop! →| daniel.haxx.se
curl supports getting built with eleven different TLS libraries. Six of these libraries are OpenSSL or forks of OpenSSL. Allow me to give you a glimpse of their differences, similarities and some insights into what it takes to support them all. SSLeay It all started with SSLeay. This was the first SSL library I found … Continue reading A family of forks →| daniel.haxx.se
(Clearly a much better word than simplification.) I believe we generally accept the truth that we should write simple and easy to read code in order to make it harder to create bugs and cause security problems. The more complicated code we write, the easier it gets to slip up, misunderstand or forget something along … Continue reading Decomplexification →| daniel.haxx.se
It is a somewhat common question to me: how do we write C in curl to make it safe and secure for billions of installations? Some precautions we take and decisions we make. There is no silver bullet, just guidelines. As I think you can see for yourself below they are also neither strange nor … Continue reading Writing C for curl →| daniel.haxx.se
CVSS is short for Common Vulnerability Scoring System and is according to Wikipedia a technical standard for assessing the severity of vulnerabilities in computing systems. Typically you use an online CVSS calculator, click a few checkboxes and radio buttons and then you magically get a number from 0 to 10. There are also different versions … Continue reading CVSS is dead to us →| daniel.haxx.se
tldr: work has started to make Hyper work as a backend in curl for HTTP. curl and its data transfer core, libcurl, is all written in C. The language C is known and infamous for not being memory safe and for being easy to mess up and as a result accidentally cause security problems. At … Continue reading rust in curl with hyper →| daniel.haxx.se
It has been eighteen years of libcurl ABI stability.| daniel.haxx.se
Time for another checkup. Where are we right now with HTTP/3 support in curl for users? I think curl's situation is symptomatic for a lot of other HTTP tools and libraries. HTTP/3 has been and continues to be a much tougher deployment journey than HTTP/2 was. curl supports four alternative HTTP/3 solutions You can enable … Continue reading HTTP/3 in curl mid 2024 →| daniel.haxx.se
Numbers the 257th release8 changes56 days (total: 9,560)220 bug-fixes (total: 10,271)348 commits (total: 32,280)1 new public libcurl function (total: 94)1 new curl_easy_setopt() option (total: 305)1 new curl command line option (total: 259)84 contributors, 41 new (total: 3,173)49 authors, 20 new (total: 1,272)0 security fixes (total: 155) Download the new curl release from curl.se as always. … Continue reading curl 8.8.0 →| daniel.haxx.se
On Friday May 3, 2024 I had several of my curl friends over for dinner in my house. An unusually warm and sunny spring day with a temperature reaching twenty degrees centigrade. The curl up 2024 weekend started excellently and the following morning we all squeezed ourselves into a conference room in downtown Stockholm. I … Continue reading I survived curl up 2024 →| daniel.haxx.se
I have held back on writing anything about AI or how we (not) use AI for development in the curl factory. Now I can't hold back anymore. Let me show you the most significant effect of AI on curl as of today - with examples. Bug Bounty Having a bug bounty means that we offer … Continue reading The I in LLM stands for intelligence →| daniel.haxx.se
Section 9.1.1 in RFC7540 explains how HTTP/2 clients can reuse connections. This is my lengthy way of explaining how this works in reality. Many connections in HTTP/1 With HTTP/1.1, browsers are typically using 6 connections per origin (host name + port). They do this to overcome the problems in HTTP/1 and how it uses TCP … Continue reading HTTP/2 connection coalescing →| daniel.haxx.se
In association with the release of curl 8.4.0, we publish a security advisory and all the details for CVE-2023-38545. This problem is the worst security problem found in curl in a long time. We set it to severity HIGH. While the advisory contains all the necessary details. I figured I would use a few additional … Continue reading How I made a heap overflow in curl →| daniel.haxx.se
IDN, International Domain Names, is the concept that lets us register and use international characters in domain names, and by international we of course mean characters outside of the ASCII range. Recently I have fought some battles against IDN and IDN decoding so I felt this urge to write a lot of words about it … Continue reading IDN is crazy →| daniel.haxx.se
The other day I sent out this tweet As it took off, got an amazing attention and I received many different comments and replies, I felt a need to elaborate a little. To add some meat to this. Is this string really a legitimate URL? What is a URL? How is it parsed? http://http://http://@http://http://?http://#http:// curl … Continue reading http://http://http://@http://http://?http://#http:// →| daniel.haxx.se
