Pinned toot

"I will slaughter you" - some emails penetrate even my thick open source maintainer skin. Like this threat.

curl --fail-with-body is here - the 238th command line option might just be the one you've looked for!

curl supports rustls - say hello to curl's 14th supported TLS library and join in and help us improve it!

What if GitHub is the devil? - tldr: if they shut down or go bad it'd be annoying but not lethal for the curl project

More on less curl memory - curl now uses a mere 30K of dynamic memory for downloading a large HTTP file,
plus the size of the download buffer.

bye bye - After having run the unofficial svn mail archive for twenty years, I've handed it over to the Apache people.

Food on the table while giving away code
I’m living the open source dream, working full time on the project I created myself: curl. But it's not entirely easy.

RT @bagder
I think Cloudflare's blog has the best explanation and illustrations for the curl timing options:

CVE-2020-8286: This flaw would allow an attacker, who perhaps could have breached a TLS server, to provide a fraudulent OCSP stapling response that would appear fine to curl. Possibly avoiding for example a revoked cert to be detected.

Show thread

CVE-2020-8285: A malicious server can DOS a libcurl-using application that uses FTP wildcard matching and that skips certain entries, by providing as skipped entries until libcurl overflows the stack due to recursive calls.

Show thread

CVE-2020-8284: A malicious server can use a `PASV` response to trick curl into connecting to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed.

Show thread
Show older

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!