Dustin L. Howett

"curl does not support an option called `-guid`, but if it did, somebody writing a shell script might use it wrong. Clearly this is a security bug in curl" ???

What the hell did I just read?

(h/t to @bagder for linking to curl's hackerone, for additional hilarious reading material)

https://hackerone.com/reports/3648199

curl disclosed on HackerOne: Internal application wrapper or script...

While -guid is not a standard or documented curl command, a Command Injection or Argument Injection vulnerability within a specific application that wraps curl. Security Analysis: curl -guid -url example.com 1. Status of the "-guid" FlagUndocumented/Non-existent: The official curl binary does not recognize a -guid flag. Standard versions will return an "unrecognized option" error.Custom...

HackerOne
Apr 5 at 10:02pmWeb
Show threadR1d ago
@DHowett this is kind of sad @bagder
Show threadBradley Schaefer1d ago
@DHowett @bagder I wonder if AI hallucinated a -guid argument and that’s where this came from
Show threadPink1d ago

@DHowett

This is the most confusing thing I've ever read. I swear this is what LLMs are doing to people.

Show threadRealGene ☣️1d ago

@DHowett @bagder

"Per project policy for transparency, submitter rougerseven7 is a clueless wanker."

Show threadben21h ago
@DHowett @bagder Yeah, the ‘This flag likely belongs to’ line makes this sound like an LLM. That phrase being used in inappropriate contexts (where ‘likely’ should have been double-checked and confirmed) is a red flag IMO.
Show threadbicebird 19h ago
@DHowett @bagder "curl does not support an option called `-sendallmypaymentdetailstosomeguy`, but if it did..."
Hope this is being worked on 😥
Show threadaspragg17h ago

@DHowett @bagder Almost every sentence of that report is weirder than the last.

Yes, if you have the ability to overwrite /etc/shadow, and call `system()` with unsanitised untrusted user data in the command line, a shell injection attack could overwrite /etc/shadow. Who would have suspected?

Also, what about `--engine`? How is it relevant to (non-existent) -guid? It's a mystery!

Finally, attachment `curl_guid.mp4`?!? I've reached a state of confusion I wasn't expecting to achieve today.

Show threadKat S15h ago
@DHowett Shades of Groklaw's classic summary of Darl McBride's legal argument: "if I had ham, I could have ham and eggs, if I had eggs."
Show threadmarcu15h ago
@DHowett @bagder to be fair, i was also quite confused the first time I learned flags can be combined, mistakes happen 🙃 yet, no reason to report it.