Will people stop messing with unsafe buffers in C already? Even just using C++ with the most basic buffer/dynamic array template would have prevented this issue.
While I agree with the general thrust of your comment, note that a) this is specifically adressed in Daniel's blog post b) He stated the reason why it's not happening right now multiple times already, and they seem well thought out. (Basically, the code base is huge and not easily converted, and there is no compiler support for some of the platforms libcurl supports).
Engineering is based on trade offs. In this specific case, the answer is no, unfortunately. This does of course not absolve new or smaller projects of this critique, but let's give curl a pass on this one.
Yeah, it was more of a general "old man yells at cloud" comment not aimed at anything in particular. It's just frustrating that we shouldn't have 99% of these vulnerabilities. Don't even have to go all the way with the borrow checking and rust, just basic bounds checks on all containers through templates would be a massive improvement over using C. Yes, the performance will degrade by some single digit %, but nobody cares.
> and there is no compiler support for some of the platforms libcurl supports
I feel like there are no serious platforms that don't have at least a C++ compiler for it. Or am I wrong there?
In that case, lets yell at clouds together. And somehow rust made me forget about C++. Or ADA. Or even godforsaken COBOL(and now you have permission to yell at me).
Engineering is based on trade offs. In this specific case, the answer is no, unfortunately. This does of course not absolve new or smaller projects of this critique, but let's give curl a pass on this one.