Notices by daniel:// stenberg:// (bagder@mastodon.social)

yeah #curl has just 16 open issues. I'm a firm believer in not having a lot of open issues so we in fact never do. We work really hard on that. A project philosophy.

Darn, we missed the opportunity for a celebratory cake when we passed 5,000 closed issues in the #curl project

We have a CI job to spot unwanted utf8 letters in #curl PRs as we have noticed that GitHub will gladly show the for example (identical) Cyrillic version of a letter next to the Latin version in a diff and it is yes, entirely impossible for a human to spot the diff. I mean the diff is shown, but the significance of it is not.

Changing just a single letter like that in a URL hostname opens up for a world of grief.

#Firefox is on #GitHub now: https://github.com/mozilla-firefox/firefox

So the user actually found a memory leak in #curl (using a fuzzer) and reported it correctly. All good.

Then, in a follow up comment the user makes the ugly choice of trying to "help" us with this bug by asking an AI for help and proposing that as a solution.

And again it broke horribly and the AI made up a broken patch that did not even fix the problem.

Now that reporter is banned.

AI_slop_counter++;

What a week => https://lists.haxx.se/pipermail/daniel/2025-May/000111.html

Mastodon, curl up, curlinfo, tpm2, rc1, AI, curlx, meta hash

"in a world where everyone is striving to reduce their energy footprint, sticking to a library that operates at only a quarter of its predecessor's efficiency, and six to nine times slower than the competition, contradicts global sustainability efforts"

as the site is asleep, I'll offer the tldr: aws-lc is the fastest, wolfssl is number two, openssl is not very fast

but read the post later, it is super long and detailed

The state of SSL stacks:

https://www.haproxy.com/blog/state-of-ssl-stacks

I mentioned the #hackerone AI slop thing on #LinkedIn

in case you care: https://www.linkedin.com/posts/danielstenberg_hackerone-curl-activity-7324820893862363136-glb1

combined with new policy to instantly ban every reporter who submits issues we deem AI slop

reporter submits a hackerone report against #curl that includes "a crash in function NNN" with lots of complicated details.

With the little detail that function NNN was made up and does not exist in real code.

New input field added to Hackerone submissions for #curl

Hello Prague

Both these reports might be AI slop but we can't be sure - they lack some of the most obvious giveaways. People can be stupid without AI as well.

@sergiotarxz sounds like working as intended

Same user followed up with a second severity HIGH security problem.

"The --capath option in cURL and CURLOPT_CAPATH in libcurl accept any directory path without validation. If an attacker provides a custom CA path containing a fake root certificate, cURL will trust malicious HTTPS endpoints signed with that fake root."

I'm fortunate to get to work with the best people 🤠

We got this "HIGH security problem" in #curl earlier today:

"The -o / --output parameter in cURL does not restrict or sanitize file paths. When passed relative traversal sequences (e.g., ../../), cURL writes files outside the current working directory, allowing arbitrary file overwrite. In automated or privileged environments (CI/CD, root containers), this leads to Remote Code Execution (RCE), privilege escalation, and supply chain risk."

Never a dull moment.