Dustin L. Howett1d ago

"curl does not support an option called `-guid`, but if it did, somebody writing a shell script might use it wrong. Clearly this is a security bug in curl" ???

What the hell did I just read?

(h/t to @bagder for linking to curl's hackerone, for additional hilarious reading material)

https://hackerone.com/reports/3648199

curl disclosed on HackerOne: Internal application wrapper or script...

While -guid is not a standard or documented curl command, a Command Injection or Argument Injection vulnerability within a specific application that wraps curl. Security Analysis: curl -guid -url example.com 1. Status of the "-guid" FlagUndocumented/Non-existent: The official curl binary does not recognize a -guid flag. Standard versions will return an "unrecognized option" error.Custom...

HackerOne
Show threadmarcu
@DHowett @bagder to be fair, i was also quite confused the first time I learned flags can be combined, mistakes happen 🙃 yet, no reason to report it.
1:42pmMastodon for Android