frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

China built a 40-story tower that stores wind power by stacking concrete

https://boingboing.net/2026/07/06/post-china-built-a-40-story-tower-that-stores-wind-powe.html
2•eric_h•7m ago•0 comments

Supreme Court won't block Texas enforcing age verification law for app downloads

https://apnews.com/article/texas-age-mobile-app-verification-law-supreme-court-362137cccb26fc5f5d...
1•1vuio0pswjnm7•7m ago•0 comments

How Europe would fight without America

https://www.ft.com/content/ffd323d9-8a8c-4b67-ae0d-208c8f994ece
1•JumpCrisscross•10m ago•0 comments

Ask HN: Where do you hire interns for startups?

1•guptadeepak•11m ago•0 comments

Section 139(8A) of Income Tax Act: Guide, Rules and Benefits – SMFG India Credit

https://www.smfgindiacredit.com/knowledge-center/section-139-8a-of-income-tax-act.aspx
1•saumyaraut11•12m ago•0 comments

Xbox 'OG' Adventures

https://mamoniem.com/xbox-og-adventures/
1•davikr•13m ago•0 comments

"The Borgias" vs. "Borgia: Faith and Fear" (accuracy in historical fiction)

https://www.exurbe.com/the-borgias-vs-borgia-faith-and-fear/
1•walterbell•23m ago•0 comments

The Consciousness Atlas: Visualizing the Landscape of Consciousness

https://www.consciousnessatlas.com/
2•lucasrufkahr•27m ago•0 comments

The Socialist Temptation of Sam Altman

https://www.wsj.com/opinion/openai-government-sam-altman-donald-trump-ai-5b2676a2
2•thm•29m ago•0 comments

Show HN: Conquer the Top Leagues 38-0 Games

https://38-0.one/
1•cksmct•30m ago•1 comments

Researchers Reveal the Power of 'Quantum Proofs'

https://www.quantamagazine.org/researchers-reveal-the-power-of-quantum-proofs-20260706/
1•pseudolus•31m ago•0 comments

Too ugly, too noisy, too American? France's great air con debate

https://www.cnn.com/2026/07/07/europe/france-heatwave-air-con-politics-intl
1•rawgabbit•35m ago•1 comments

Summary: Analytic Idealism in a Nutshell by Bernardo Kastrup

https://www.chestergrant.com/summary-analytic-idealism-in-a-nutshell-by-bernardo-kastrup
1•chegra•35m ago•0 comments

MSE – Why am I finding the Catalan numbers in these "Snowball Numbers"?

https://math.stackexchange.com/questions/5142872/why-am-i-finding-the-catalan-numbers-in-these-sn...
1•philipfweiss•36m ago•0 comments

12.4M US business registrations are free on state open-data portals

https://gist.github.com/BhackerJ/22a35fead8764782189c7a20c5ded0d7
1•chonghaoju•36m ago•1 comments

Are Humanoid Robots Ready to Be Deployed?

https://www.newyorker.com/magazine/2026/07/06/are-humanoid-robots-ready-to-be-deployed
1•tuxguy•40m ago•1 comments

Show HN: Disclosure Lookup – a Caido plugin that finds where to report a vuln

https://github.com/disclose/caido-lookup
2•caseyjohnellis•48m ago•0 comments

There's a Global Network of Fungi Under Your Feet This Is the First Complete Map

https://www.wired.com/story/theres-a-global-network-of-fungi-under-your-feet-this-is-the-first-co...
1•Jimmc414•51m ago•4 comments

Apple updates vended agent skills: Xcode 27 Beta 3

https://petegoldsmith.com/blog/2026-07-07-xcode-27-beta-3-agent-skills/
2•theraven•52m ago•0 comments

A Sad Kind of Convenience - The death of physical media

https://www.theatlantic.com/technology/2026/07/playstation-ends-discs/687770/
1•Bondi_Blue•52m ago•2 comments

Show HN: Lingbot Vision – Self-Supervised Dense Perception (0.296 NYUv2 RMSE)

https://technology.robbyant.com/lingbot-vision
1•Kajaking•52m ago•0 comments

Balancing Claude 4.8 with GLM 5.2 in mid-level Coding Agent structuring prompts

https://cimons.com/article/balancing-claude-with-glm-5-2-in-mid-level-coding-agent-structuring-pr...
1•etcimon•52m ago•1 comments

Snap sued by parents of girl who was raped by man she met on Snapchat

https://www.latimes.com/business/story/2026-06-25/snap-sued-by-parents-of-girl-who-was-raped-by-m...
3•1vuio0pswjnm7•53m ago•0 comments

CapTablex: Open-source cap table managment in Elixir

https://github.com/captablex/captablex
1•rayrrr•1h ago•1 comments

A Mom Said Infant Formula Killed Her Baby. The Manufacturer Closed the File

https://kffhealthnews.org/health-industry/infant-formula-adverse-events-nec-baby-deaths-fda-repor...
1•Jimmc414•1h ago•0 comments

U.S. vs. Live Nation: Proposed Final Judgment and Competitive Impact Statement

https://www.federalregister.gov/documents/2026/07/06/2026-13623/united-states-et-al-v-live-nation...
1•Jimmc414•1h ago•0 comments

Show HN: My 11 year old daughter and I build this DQ8 style game on macOS

https://code.intellios.ai/cedricsquest/
1•coolwulf•1h ago•1 comments

PyPI Downloads accuracy

https://pepy.tech/projects/finops-mcp
1•chaandannn•1h ago•0 comments

Atlanta-based company saved $100k by replacing Salesforce with Replit-built CRM

https://twitter.com/amasad/status/2074274666709987663
1•backlit4034•1h ago•1 comments

Xbox cuts 3,200 jobs as gaming business struggles

https://www.latimes.com/entertainment-arts/business/story/2026-07-06/xbox-cuts-3-200-jobs-as-part...
1•1vuio0pswjnm7•1h ago•0 comments
Open in hackernews

CRLF Injection in `–proxy-header` allows extra HTTP headers (CWE-93)

https://hackerone.com/reports/3133379
11•oblivionsage•1y ago

Comments

blueflow•1y ago
Check the man-page first. You need to know how a program is supposed to behave before you can know that an observed behavior is off-spec and warrants a bug.
robertlagrant•1y ago
I don't understand the "This is not supposed to happen". Can someone explain?

To me this is the same as

  --proxy-header "X-Test: hello" --proxy-header "X-Evil: owned"
flotzam•1y ago
Imagine running

  curl --proxy-header "X-Test: $UNTRUSTED_USER_INPUT"
wang_li•1y ago
That is not a bug in curl, at most it's a bug in whatever gathered $UNTRUSTED_USER_INPUT.
flotzam•1y ago
People still expect an API to reject illegal values. Calling the parameter --proxy-header (singular) could lead someone to assume that multiline strings are illegal values, even if there's a note in the docs somewhere saying otherwise.
blueflow•1y ago
Then the people assuming random things without doing research are to blame, not curl.
flotzam•1y ago
Apportioning blame doesn't get rid of bugs; misuse resistant APIs do.
blueflow•1y ago
Reading docs ("research") is essential part of engineering.

Lets ask the question reversed: How did people know in the first place what kind of string they need to give to --proxy-header?

flotzam•1y ago
> Reading docs ("research") is essential part of engineering.

Sure, but so is safety engineering. Making mechanisms more obvious to use correctly or fail safe if used incorrectly improves outcomes when flawed human beings use them. It also makes them more pleasant to use in general.

Besides, look at the man page in question. It's talking about this in terms of encoding niceties and doesn't even spell out the possibility of deliberate, let alone malicious multiline values:

"curl makes sure that each header you add/replace is sent with the proper end-of-line marker, you should thus not add that as a part of the header content: do not add newlines or carriage returns, they only mess things up for you."

That's inducing a wrong/incomplete mental model of how this parameter works.

jeroenhd•1y ago
I suppose it kind of depends. I agree with the curl team here that this is a case of garbage in/garbage out, but I can imagine this going wrong with a binary protocol like HTTP2 on the front and a text protocol like HTTP 1.1 behind a reverse proxy. The \r\n will make it to the proxy as a separate header, but will be turned into two headers on the upstream.

That said, this would be a (reverse) proxy vulnerability, not one in curl.

ale42•1y ago
I'm not sure where is the security issue here. As already noted, one can just put several --proxy-header arguments, so the functionality is equivalent.

The only way this would do something unexpected (and not necessarily dangerous besides breaking the service) would be if the curl command would be used in a scenario like: (1) curl is used by some script to access some API or other URL, (2) a user can configure the script to give a specific value to an header, let's say an authentication token or similar, but the user can't directly alter the curl command (e.g. because they can only change URL and TOKEN with a web interface). Here the user would be able to add an header IF the script is not properly sanitizing the input (so the supposed security issue IMHO would be in the script), but if adding an additional header breaks security, the underlying system has a problem too...

In a very far-stretched scenario, one can possibly add two CRLFs and have the rest of the header (if any) considered by the server as data. IF the request is a POST/PUT/... request, and IF the server returns (or allows later access to) the data, and IF the attacker manipulating the supposedly-restricted single-header can see the output of the call (or retrieve the saved data), then we'd have an information disclosure issue. Would it disclose anything sensitive? Not sure, unless there's an auth token or something AFTER the header. And again, I'd rather incriminate the curl caller for not sanitizing the input if this happens.

blueflow•1y ago
> doesn't even spell out the possibility of deliberate, ... multiline values

It does for me, as any kind of extra newlines results in a multi-line string.

> ... malicious ...

Like Daniel said, garbage in, garbage out. If you pass user inputs to curl, one should check what curl does with these values and take proper care.

robertlagrant•1y ago
> do not add newlines or carriage returns, they only mess things up for you

I disagree, but I would say that curl might as well add this as a validation check than a documentation warning.

blueflow•1y ago
This is explained in the ticket:

  One of the reasons we still allow that is that this "feature" was used quite deliberately by users in the past and I have hesitated to change that for the risk that it will break some users use cases.
robertlagrant•1y ago
Yes, I'm not sure if I agree with this or not. Those users don't have to upgrade. But obviously I'm not maintaining a key tool for the world. It's just my opinion.
soraminazuki•1y ago
One shouldn't construct shell commands from untrusted user input in the first place unless they know exactly what they're doing and is aware of all the pitfalls. It's the worst possible tool to be using if the aim is to avoid security issues with minimal effort. Debating about this particular curl quirk distracts from the bigger issue IMO.
robertlagrant•1y ago
> That is not a bug in curl, at most it's a bug in whatever gathered $UNTRUSTED_USER_INPUT.

But that could just contain the bad header only, could it not?