Twenty-nine years ago on this day, #httpget 0.1 was released. I found the tool a few days later and within a few months I became the maintainer. We later renamed it. Twice. The last name it got is #curl. It stuck. httpget was my first insight and lesson into HTTP and since then I have kept learning it. httpget 0.1 was written by Rafael Sagula, who unfortunately is not with us anymore.

one of the most common security reports we get in #curl is claims of various CRLF injections where a user injects a CRLF into their own command lines and that's apparently "an attack". We have documented this risk if you pass in junk in curl options but that doesn't stop the reporters from reporting this to us. Over and over. Here's a recent one.

HackerOne

curl disclosed on HackerOne: SMTP CRLF Injection in curl/libcurl...

SMTP CRLF Injection Vulnerability in curl/libcurl ## Vulnerability ID: CURL-SMTP-CRLF-2024 ## CWE-93: Improper Neutralization of CRLF Sequences ##...

Hello mr Slop, so we meet again...

HackerOne

curl disclosed on HackerOne: Unsafe use of strcpy in...

I've provided the detailed description and clear steps previously, but it seems you need the content tailored directly for the submission form's fi...

In the #curl security team, we get to exercise deep protocol knowledge into the bits for many protocols including version variations and exploring funny quirks we have for adapting to many 3rd party libraries as well as a thorough understanding of the C language, how ABIs work, OS/platform variations and the occasional CPU peculiarity. Did I mention build systems? And that's only for the issues we received this weekend.

Welcome Stanislav Fort as #curl commit author 1418:

GitHub

cshutdn: acknowledge FD_SETSIZE for shutdown descriptors by bagder · Pull Request #19439 · curl/curl

In the logic called for curl_multi_fdset(). File descriptors larger than FD_SETSIZE size are simply ignored, which of course will make things break...

Has the time come to pull the plug for #RTMP in #curl?

curl: RTMP ?

#curl speaks #MQTT but rather limited and in a slightly naive fashion. Feel free to help us improve.

curl - TODO

More than half of #curl's source code lines have been changed within the last four years. 1,101 lines from before year 2000 still remain "untouched".

"Secure Software Lifecycle for Open Source Software" according to the German Federal Office for Information Security (BSI) 📄.pdf

Yes really, #curl is still developed

daniel.haxx.se

Yes really, curl is still developed

A lot! One of the most common reactions or questions I get about curl when I show up at conferences somewhere and do presentations: -- is curl stil...