Post AtgmxGopU9JsQpYHzM by bagder@mastodon.social
 (DIR) More posts by bagder@mastodon.social
 (DIR) Post #AtfCycIuDqLMxEzX3g by bagder@mastodon.social
       2025-05-01T21:08:35Z
       
       4 likes, 3 repeats
       
       We got this "HIGH security problem" reported for #curl earlier today:"The -o / --output parameter in cURL does not restrict or sanitize file paths. When passed relative traversal sequences (e.g., ../../), cURL writes files outside the current working directory, allowing arbitrary file overwrite. In automated or privileged environments (CI/CD, root containers), this leads to Remote Code Execution (RCE), privilege escalation, and supply chain risk."Never a dull moment.
       
 (DIR) Post #AtfCygyWr20zRUUpUW by bagder@mastodon.social
       2025-05-01T21:13:08Z
       
       0 likes, 1 repeats
       
       Same user followed up with a second severity HIGH security problem."The --capath option in cURL and CURLOPT_CAPATH in libcurl accept any directory path without validation. If an attacker provides a custom CA path containing a fake root certificate, cURL will trust malicious HTTPS endpoints signed with that fake root."I'm fortunate to get to work with the best people 🤠
       
 (DIR) Post #Atfs9TCTaBIUv5HzzU by sergiotarxz@social.owlcode.tech
       2025-05-01T21:10:17Z
       
       0 likes, 0 repeats
       
       @bagder Sounds like a somebody else problem.
       
 (DIR) Post #Atfs9U0SaLHPQ6futs by bagder@mastodon.social
       2025-05-01T21:10:48Z
       
       1 likes, 0 repeats
       
       @sergiotarxz sounds like working as intended
       
 (DIR) Post #AtgmxGopU9JsQpYHzM by bagder@mastodon.social
       2025-05-02T06:49:19Z
       
       0 likes, 1 repeats
       
       Both these reports might be AI slop but we can't be sure - they lack some of the most obvious giveaways. People can be stupid without AI as well.