Hackers' Pub

Syntax	Description	Examples
`"` keyword `"`	Finds the string within quotes, including spaces. Case-insensitive. (Escape quotes inside with `\"`)	`"Hackers' Pub"`
`from:` handle	Finds content written by the specified user.	`from:hongminhee` `from:hongminhee@hollo.social`
`lang:` ISO 639-1	Finds content written in the specified language.	`lang:en`
`#` tag	Finds content with the specified tag. Case-insensitive.	`#HackersPub`
condition condition	Finds content that satisfies both conditions on either side of the space (logical AND).	`"Hackers' Pub" lang:en`
condition `OR` condition	Finds content that satisfies at least one of the conditions on either side of the OR operator (logical OR).	`#HackersPub OR "Hackers' Pub" lang:en`
`(` condition `)`	Combines the operators within the parentheses first.	`(#HackersPub OR "Hackers' Pub" OR "Hackers Pub") lang:en`

daniel:// stenberg:// @bagder@mastodon.social

11/10/2025, 3:52:50 PM

Public

one of the most common security reports we get in #curl is claims of various CRLF injections where a user injects a CRLF into their own command lines and that's apparently "an attack".

We have documented this risk if you pass in junk in curl options but that doesn't stop the reporters from reporting this to us. Over and over.

Here's a recent one.

https://hackerone.com/reports/3418616

curl disclosed on HackerOne: SMTP CRLF Injection in curl/libcurl...

SMTP CRLF Injection Vulnerability in curl/libcurl ## Vulnerability ID: CURL-SMTP-CRLF-2024 ## CWE-93: Improper Neutralization of CRLF Sequences ### Executive Summary curl/libcurl contains a CRLF injection vulnerability in its SMTP implementation that allows attackers to inject arbitrary SMTP commands by including CR (\r) and LF (\n) characters in mailbox addresses. ### Affected Versions -...

hackerone.com · HackerOne

If you have a fediverse account, you can quote this note from your own instance. Search https://mastodon.social/users/bagder/statuses/115526203522250053 on your instance and quote it. (Note that quoting is not supported in Mastodon.)