Popular:
Virtualization DNS security formal verification reachability analysis compiler errors macro conflict web extension development framework Bitmap Graphics API inconsistencies All Tags

Curl's Dotted Disaster: Two CVEs and a Never-Ending Chase

2025-05-15
Curl's Dotted Disaster: Two CVEs and a Never-Ending Chase

The curl team has had a persistent struggle with trailing dots in hostnames within URLs. Initially ignoring them, curl later reinstated support for websites requiring trailing dots. However, this change inadvertently introduced two security vulnerabilities (CVE-2022-27779 and CVE-2022-30115) affecting cookie handling and the HSTS mechanism respectively. These vulnerabilities stemmed from improper handling of trailing dots leading to incorrect domain matching. curl 7.83.1 addresses these issues, but the author suspects this may be just the beginning of a long-running battle.

(daniel.haxx.se)
Development
Beyond REST: Why State Synchronization is the Future of Web Apps
The Renaissance of Small and Old Tech: Simplicity and Privacy Reimagined