[Daniel's week] March 7, 2025

Fri Mar 7 18:29:12 CET 2025

Hello friends!

## Email format

I'm back to my previous weekly email formatting again, edited in emacs. I was
not entirely happy with the other style and I had readers tell me that it was
a worse style than before.

It is a gentle balance between the ease of writing and how it looks to readers
of it. I suppose I will try out variations going forward as well.

## my cookie spec problem

I could not resist but objected in a cookie discussion on the httpbis mailing
list in which I brought up my old complaint about the existing cookie spec RFC
6265 and its coming successor still known as 6265bis. When someone then asked
me about said objection I figured instead of trying to explain myself in a
short reply I would clarify myself properly. So I instead blogged[1] some
words about it and now there's a URL I can refer others to if this comes up
again.

## podcast

I joined the podcast Security Weekly [2] as a guest this week and we talked
curl security. CVE, CVSS, not rewriting it in rust and what we do to try
avoiding letting the world burn. A fun 35 minutes chat. Recorded only the day
before it went public.

## upload flags

curl's 268th command line option became --upload-flags [3]. Introduced in the
pending curl 8.13.0 release. It is a new option to set which flags to set for
an IMAP resource when such a one is uploaded to a server. answered, deleted,
draft, flagged, and seen are supported and with this we fix a minor feature gap
people have been pointing out several times in the past. This is of course
powered by a new libcurl option for this [4].

## strtok

We have banned the use of the strtok() function from curl code for a long
time, but we also offer a way to do exceptions from this and we have used such
exceptions in the curl tool code for just about as long as the ban has been in
place. It has always been unfortunate, but not terribly. It has been deemed
okay since the code using it is not multi-threaded and it got the job done.

This week I went over the code again and rewrote the remaining functions still
using strtok() to instead use something else. In most cases also by avoiding
actually writing data to the buffer being parsed so that we can a) avoid an
extra malloc/free cycle and b) use more const char pointers. This reduces
memory use and is generally a nicer thing to do. Now there are no strtok()
calls left in production code. Yay.

This also made me ultimately able to remove the unconditional strdup() we
previously did for every command line option provided to curl. Admittedly not
a major memory waste or anything, but still nice to be able to stop doing
completely in vain.

## roadmap

108 unique viewers watched the curl roadmap 2025 [5] stream on twitch and over
a dozen people participated on Zoom. Just some word about features and things
I want and hope to see happen in curl over the coming year.

## UAF

We received this interesting UAF report [6] on HackerOne. It correctly
identified a Use After Free bug and one that we could reproduce. After a lot
of deliberating and thinking however, we deemed that we could not find any
reasonable security angle, vulnerability or possible exploit of it, so we have
decided to treat it as "normal bug" [7]. This process, making these decisions,
is the truly hard part of curl security. I'm keen on making sure that we do
them with full transparency and openness so that everyone who wants to can
check this out, scrutinize our work and object if there are reasons to.

## fuzzer

The reported behind the UAF problem above, Philippe Antoine, also this week
extended the curl-fuzzer [8] a bit, and thanks to this unveiled at least two
smaller memory leaks.

This triggered me to build the curl fuzzer locally again, which I hadn't done
in a while and then by extension I found a bunch of minor issues to fix and
those have now been merged into that git repository and should make building
the fuzzer a little bit smoother going forward. I still need to apply a local
patch to make it build on Debian Unstable, and have now provided a separate
documentation update for doing this [15].

The curl-fuzzer is what oss-fuzz [9] uses to fuzz curl around the clock in a
never-ending fashion. Extending the fuzzer (to do more fuzzing of more libcurl
options) helps us keep libcurl solid. We have not had any gits in oss-fuzz for
many months now. Maybe this will shake things up a little?

## sub-10 issues

As of the morning of March 7 2025, we have less than ten open issues in the
curl project on GitHub [10]. Of course thanks to a lot of hard work by awesome
contributors.

## location-mode

I think I mentioned before that I merged support into libcurl for new ways to
do HTTP redirect following that involves a custom method [13].

This is both to allow better redirect-follows in general, but it has also been
triggered a little extra by the work on introducing QUERY [14] as a new HTTP
method. If, or when, QUERY becomes popular I want curl to be able to use it
properly and then it needs to deal with redirects better.

So, with the libcurl part merged we need to offer a way for the curl tool to
use these new powers. I wrote up a pull-request [12] this week for this
purpose, but I deliberately decided to not merge it in this feature window but
instead wait for possible more feedback and thinking. I can then merge this
new tool feature in the next release cycle.

The idea is to provide a --location-mode option. One reason to do it this way,
is that users can then for example set a default choice in their .curlrc and
then the -L and -X combos will automatically work as decided.

Your feedback on this option or other ways to improve this, is welcome!

## feature freeze

There are still four PRs marked feature-window that were not merged this cycle
because they need attention, changes or both. We still count nine changes
listed in the RELEASE-NOTES and a whopping 169 bugfixes merged already, so I
think we are doing pretty well.

This feature freeze is also the first one with an associated reelase candidate
according to the new policy [11].

## Coming up

- curl feature window closes tomorrow March 8
- curl 8.13.0 rc1 ships tomorrow March 8

## Links

[1] = https://daniel.haxx.se/blog/2025/03/01/my-cookie-spec-problem/
[2] = https://youtu.be/0UavY_kKKic?si=M-CiZBzblnwqihlP
[3] = https://curl.se/docs/manpage.html#--upload-flags
[4] = https://curl.se/libcurl/c/CURLOPT_UPLOAD_FLAGS.html
[5] = https://youtu.be/0vVTNm2q2vg?si=duBS2iF8TPgrDYHf
[6] = https://hackerone.com/reports/3022041
[7] = https://github.com/curl/curl/pull/16588
[8] = https://github.com/curl/curl-fuzzer
[9] = https://google.github.io/oss-fuzz/
[10] = https://github.com/curl/curl/issues
[11] = https://daniel.haxx.se/blog/2025/02/28/adding-curl-release-candidates/
[12] = https://github.com/curl/curl/pull/16543
[13] = https://curl.se/libcurl/c/CURLOPT_FOLLOWLOCATION.html
[14] = https://www.ietf.org/archive/id/draft-ietf-httpbis-safe-method-w-body-08.html
[15] = https://github.com/curl/curl-fuzzer/blob/master/DEBIAN.md

-- 

  / daniel.haxx.se