Search results for tag #curl
@simonzerafa @domi @videolan not more than it seems they use Windows 10/11 machines onboard and #curl is part of that...
a LinkedIn post of the motivational kind:
Alt...
Curl is also the most secure codebase I've seen. I tried
to hunt for vulnerabilities in it (having reviewed the
slop report collection for fun) and got zero hits. Maybe
some borderline documented behavior, but nothing
with any reasonable security impact. So I probably did
it right. But on almost every codebase I've reviewed
extensively in the past, including glibc, I've found at
least one issue with a security impact. Curl is the only
one which I've found completely clean as far as I could
see. I think the bounty program has been largely
beneficial to curl over the years and has overall
contributed positively to the project's security, despite
the recent downtrend. Keep it up
I'm proud of #curl's thorough vulnerability documentation that you will have a hard time to find other projects matching. Open or closed.
I pushed curl-rustls-8.19.0-3-x86_64.pkg.tar.zst to Arch Linux, with this version it's now possible to encrypt the TLS client hello:
curl -sSv --ech hard --doh-url='https://dns.mullvad.net/dns-query' 'https://defo.ie/ech-check.php'
Should display:
<p>SSL_ECH_OUTER_SNI: cover.defo.ie <br />
SSL_ECH_INNER_SNI: defo.ie <br />
The --doh-url is mandatory, otherwise curl won't query the `https` dns records (dig +short https defo.ie).
For opportunistic ECH use `--ech true`.
Seven years ago we ditched HTTP Pipelining support in #curl.
https://daniel.haxx.se/blog/2019/04/06/curl-says-bye-bye-to-pipelining/
There is virtually **no** AI slop security reports anymore submitted about #curl. They don't seem to happen any longer.
Almost everyone still uses AI though.
Hackerone submissions to #curl per quarter, Jan 1st 2023 to end of March 2026.
Alt...
A graph showing a roughly 4x increase in submission rate
We have received more security reports against #curl in 2026 so far than we did during the entire year back in 2024.
During the first three months we have received twice the amount of reports/week as we did last year.
The security reporting situation that I see at the ASF and in #curl is
- huge increase in reports
- increase of valid reports
- appearance of duplicate/triplicate reports of the same issue by different people
A high profile project needs to deal with 2-4 new reports each day. This is nuts.
One *may* hope this to go down again later this year bc
- unhallucinated issues are finite (see the fuzzing wave)
- eventually it will cost real money to generate these reports
I know you've always been curios. How does the #curl code base compare to a few great literary works of art when it comes to number of words?
Happy to be at service:
Alt...
curl has passed both works in number of words...
Having been around for a while in the project allows me to chime in and say things like...
"it has been possible to build #curl with zlib since 2002. It has always been optional. Still is."
#curl DNS in 2026, part II, covers the options in curl for performing DNS lookups and what this means in the context of ECH/HTTPS-RR.
There are now more than 500 CNAs: https://www.cve.org/programorganization/cnas
When #curl became a CNA in January 2024, we became the 351st one.
89 days into the year, the #curl project has received 72 security reports on Hackerone and ten additional ones over other channels. Close to one a day on average.
Compared to 2024, this is roughly 4x the volume.
The "obviously AI slop" rate has drastically gone down but the rate of actual vulnerabilities is below 10%.
We continue to spend a significant amount of time and effort on security.
Welcome Greg Kroah-Hartman @gregkh as #curl commit author 1459: https://github.com/curl/curl/pull/21159
commit UTC week hour in #curl
https://github.com/curl/stats/pull/31
Alt...
commit week hour heatmap in the curl project - which hour of the week commits were authored
days-per-cmdline-option is a slightly scary new #curl graph I'm trying out here:
https://github.com/curl/stats/pull/30
"Unfortunately in the bank where i work it is not easy to change the version, it requires lots of resources to retest." says reporter who uses a ten years old #curl version with a suspected bug... The problem is not open source.
curl-up 2026 is on May 23-24 this year in Prague - https://github.com/curl/curl-up/wiki/2026 - sign up ... participate ... we esp would like to hear from users, developers and anyone trying to figure out this crazy world of software development - demonstrate what you do with curl (can be a formal talk or just come and we can talk) #curl #curlup2026
This new page on the curl website explains how you can (should?) verify #curl, and a little what we do to verify what we do.
We can never be 100% safe, but we can try.
This is the day of #curl distro meeting 2026.
https://github.com/curl/curl/wiki/curl-distro-discussion-2026
u wot m8?
> Most modern operating systems include cURL by default. On Windows, use 'cmd' since in powershell curl is added as alias for Invoke-WebRequest (Microsoft.PowerShell.Utility)
Let me get this straight: Microslop decided that it makes total sense to have a "curl" command that in PowerShell is a different thing than the standard "curl" available in `cmd`?..
Ffs. I have no words.
In the latest release of OSGeo4W they list the #curl license as "non-open-source"... 🤔
Alt...
Screenshot of German-speaking OSGeo4W install window
curl
Daniël Stenberg
facts and praise
I'm fortunate that I am allowed to follow Daniël, lead programmer of the mightycurl. The reason I formulated the line in this way, is because only through the power of the FediVerse I've gotten a boost from someone I follow, who found a post of the lead programmer or curl interesting
stats:
install base => 20000*10
6
devices
20 billion+ installations!
curlis used in command lines or scripts to transfer data. curl is alsolibcurl, used in:
- cars
- television sets
- routers
- printers
- audio equipment
- mobile phones
- tablets
- medical devices
- settop boxes
- computer games
- media players
Curl is THE Internet transfer engine for countless software applications in over twenty billion installations!
curl is used daily by virtually every Internet-using human on the globe!
curl is 30 years old
Let that sink in!
Opinion
curl is mature critical network infrastructure software that we all need to have our internet powered software / hardware to function in respect to data transfer.
The syntax to use curl in simple implementations is IMHO quite easy. In case you need to know an extra option, the executable and libcurl have excellent documentation. End users normally interact with curl using the (elf) binary on Linux based POSIX operating systems. The more mature BSDs have another binary format
Just type curl to get an initial output which looks like this on my current system
curl
curl: try 'curl --help' or 'curl --manual' for more information
then type
curl --help
Usage: curl [options...] <url>
-d, --data <data> HTTP POST data
-f, --fail Fail fast with no output on HTTP errors
-h, --help <subject> Get help for commands
-o, --output <file> Write to file instead of stdout
-O, --remote-name Write output to file named as remote file
-i, --show-headers Show response headers in output
-s, --silent Silent mode
-T, --upload-file <file> Transfer local FILE to destination
-u, --user <user:password> Server user and password
-A, --user-agent <name> Send User-Agent <name> to server
-v, --verbose Make the operation more talkative
-V, --version Show version number and quitThis is not the full help; this menu is split into categories.
Use "--help category" to get an overview of all categories, which are:
auth, connection, curl, deprecated, dns, file, ftp, global, http, imap, ldap, output, pop3, post, proxy,
scp, sftp, smtp, ssh, telnet, tftp, timeout, tls, upload, verbose.
Use "--help all" to list all options
Use "--help [option]" to view documentation for a given option
When you type curl --manual|less you get the manpages which I delimited with less through a vertical pipe
_ _ ____ _
___| | | | _ \| |
/ __| | | | |_) | |
| (__| |_| | _ <| |___
\___|\___/|_| \_\_____|
NAME curl - transfer a URL
SYNOPSIS
curl [options / URLs]
DESCRIPTION
curl is a tool for transferring data from or to a server using URLs. It
supports these protocols: DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP,
HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP,
SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS and WSS.
curl is powered by libcurl for all transfer-related features. See
libcurl(3) for details.
URL
The URL syntax is protocol-dependent. You find a detailed description in
RFC 3986.
I can also type man curl to get a nice output:
curl(1) curl Manual curl(1)NAME
curl - transfer a URL
SYNOPSIS
curl [options / URLs]
DESCRIPTION
curl is a tool for transferring data from or to a server using URLs. It supports these protocols:
DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S,
RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS and WSS.
curl is powered by libcurl for all transfer-related features. See libcurl(3) for details.
URL
The URL syntax is protocol-dependent. You find a detailed description in RFC 3986.
If you provide a URL without a leading protocol:// scheme, curl guesses what protocol you want. It
then defaults to HTTP but assumes others based on often-used hostname prefixes. For example, for
hostnames starting with "ftp." curl assumes you want FTP.
You can specify any amount of URLs on the command line. They are fetched in a sequential manner in
the specified order unless you use -Z, --parallel. You can specify command line options and URLs
Manual page curl(1) line 1 (press h for help or q to quit)
The reasoning behind curl --manual is simple. On a machine without the manual system you still need access to the full manual. This is one of the reasons why man curl is also implemented as curl --manual
An important RFC is echoed to my terminal in the man curl output which is RFC 3986
A Uniform Resource Identifier (URI) is a compact sequence of
characters that identifies an abstract or physical resource. This
specification defines the generic URI syntax and a process for
resolving URI references that might be in relative form, along with
guidelines and security considerations for the use of URIs on the
Internet. The URI syntax defines a grammar that is a superset of all
valid URIs, allowing an implementation to parse the common components
of a URI reference without knowing the scheme-specific requirements
of every possible identifier. This specification does not define a
generative grammar for URIs; that task is performed by the individual
specifications of each URI scheme.
I shall not quote the whole RFC 3986 here. You can read all about it on the RFC site (see sources)
As you can see curl is thorougly documented, has all the features a simple end user needs to fetch all kind of data, scaled up all the way to the extensive complex features router hardware et all, needs to transfer data.
programming route
I came to this toot when I saw that certain external feature code, which lives in stable external libraries, is now being removed from curl. I should say the code is depreciated then phased out.
This is a logical step
- It takes resources to maintain external code
- If the (shared) libraries are stable and mature, it's much better to just call those libraries and be done.
- The more external code you can remove from your project the better it is for all the programmers
The same is also happening in the Linux kernel, they are following in the footsteps of curl
Conclusion
There is a treasure trove of information in the sources. Just reading the pages on RFC 3986 will keep you occupied for hours.
Have fun and keep reading / learning and programming!
sources:
https://www.rfc-editor.org/rfc/rfc3986
https://curl.se/mail/lib-2026-03/0026.html
#curl #programming #mathematics #linear #algebra #libcurl #Linux #BSD #freeBSD #openBSD #netBSD #POSIX #bash #csh #ksh #sh #fish #radio #TV #smartTV #router
Alt...
screencap
Alt...
screencap
Alt...
https://www.rfc-editor.org/rfc/rfc3986
RE: https://hachyderm.io/@kees/116282745861595200
Fun to see the Linux kernel follow in #curl's footsteps! 😎 (we removed the last strncpy from curl in late 2025)
Today we celebrate four years since Apple pulled the ghost CVE prank on us:
https://daniel.haxx.se/blog/2022/03/23/anatomy-of-a-ghost-cve/
How about a new graph? Number of options for curl_multi_setopt() over time
https://github.com/curl/stats/pull/27
Alt...
Number of options for curl_multi_setopt over time