Techly NewsGet the app

Get the latest tech news

Curl Warns GitHub About 'Malicious Unicode' Security Issue


A Curl contributor replaced an ASCII letter with a Unicode alternative in a pull request, writes Curl lead developer/founder Daniel Stenberg. And not a single human reviewer on the team (or any of their CI jobs) noticed. The change "looked identical to the ASCII version, so it was not possible to ...

In order to drive this change home, we went through all the test files in the curl repository and made sure that all the UTF-8 occurrences were instead replaced by other kind of escape sequences and similar. The next time someone tries this stunt on us it could be someone with less good intentions, but now ideally our CI will tell us... We want and strive to be proactive and tighten everything before malicious people exploit some weakness somewhere but security remains this never-ending race where we can only do the best we can and while the other side is working in silence and might at some future point attack us in new creative ways we had not anticipated. In the original blog post Stenberg complained he got "barely no responses" from GitHub (joking "perhaps they are all just too busy implementing the next AI feature we don't want.")

Get the Android app

Or read this on Slashdot

Read more on:

Photo of GitHub

GitHub

Photo of security issue

security issue

Photo of curl

curl

Related news:

News photo

MCP: An in-depth introduction

News photo

Google’s Gemini chatbot can now more easily analyze GitHub projects

News photo

You can no longer browse open source code on GitHub without logging in first

« The AI Warnings Will Continue Until Morale Improves
How to have the browser pick a contrasting color in CSS »