daniel:// stenberg://May 1

We got this "HIGH security problem" reported for #curl earlier today:

"The -o / --output parameter in cURL does not restrict or sanitize file paths. When passed relative traversal sequences (e.g., ../../), cURL writes files outside the current working directory, allowing arbitrary file overwrite. In automated or privileged environments (CI/CD, root containers), this leads to Remote Code Execution (RCE), privilege escalation, and supply chain risk."

Never a dull moment.

Show threaddaniel:// stenberg://May 1

Same user followed up with a second severity HIGH security problem.

"The --capath option in cURL and CURLOPT_CAPATH in libcurl accept any directory path without validation. If an attacker provides a custom CA path containing a fake root certificate, cURL will trust malicious HTTPS endpoints signed with that fake root."

I'm fortunate to get to work with the best people 🤠

Show threaddaniel:// stenberg://May 2
Both these reports might be AI slop but we can't be sure - they lack some of the most obvious giveaways. People can be stupid without AI as well.
Show threadhamish
@bagder statement for the ages
May 2 at 9:53amWeb