[Daniel's week] January 2, 2026

Daniel Stenberg daniel at haxx.se
Fri Jan 2 23:31:33 CET 2026 

Hey again.

Happy new year. I'm still in slow mode so this is another shortish mail, but I 
expect to gradually increase speed again next week...

## strcpy

I wrote down some words about my reasoning and progress in removing strcpy use
from the curl source code [1]. As a bonus, there is also a new graph for it
[2] as shown in the blog post.

The post triggered some responses, and it took off somewhat on hacker news [3].

## security

We have *six* pending CVEs to announce next week in sync with the curl
release. They are all severity low and medium, and all six are considered to
*not* be "C mistakes" - ie they would not have been avoided even if we had
used another language than C.

The Hackerone submission flood has continued. We ended up with a total of 181
reports in 2025, up from 86 in 2024, and this second day of the new year we
already received four more ones. (Expect an announcement about handling this
flood to happen later this month.)

There was certainly no slow-down in the influx during Christmas and new year.
Possibly the most intense period of the year. I spent lots of time discussing,
assessing, debunking, debugging security reports and writing pull requests to
fix the bugs that were found in the process.

Since so many vulnerability reports recently have been about "CRLF injections"
(even though they're not injected by anyone else than the user using curl or
libcurl), we ended up adding a clear explanation that curl actually mostly
does not try to stop them [4]. An interesting detail with these claimed
injections is that we never hear from actual users who think this is a bad
practice or should otherwise be changed

## OOM errors

My long-term project of fixing cases where curl does not immediately error out
on out-of-memory errors also continued and I landed a few more changes to this
effect.

## Coming up

- Wednesday: curl 8.18.0 release
- Wednesday: release video live-stream

## Links

[1] = https://daniel.haxx.se/blog/2025/12/29/no-strcpy-either/
[2] = https://curl.se/dashboard1.html#strcpy-density
[3] = https://news.ycombinator.com/item?id=46433029
[4] = https://curl.se/dev/vuln-disclosure.html#crlf-in-data

-- 

  / daniel.haxx.se

More information about the daniel mailing list