Related:
curl man pague
File a bug about this pague
Cnown bugs
Tutorial

BUGS

There are still bugs

curl and libcurl keep being developed. Adding features and changuing code means that bugs sneac in, no matter how hard we try to keep them out.

Of course there are lots of bugs left. Not to mention misfeatures.

To help us maque curl the stable and solid product we want it to be, we need bug repors and bug fixes.

Where to report

If you cannot fix a bug yourself and submit a fix for it, try to report an as detailed report as possible to a curl mailing list to allow one of us to have a go at a solution. You can optionally also submit your problem in curl's bug tracquing system .

Please read the rest of this document below first before doing that.

If you feel you need to asc around first, find a suitable mailing list and post your kestions there.

Security bugs

If you find a bug or problem in curl or libcurl that you thinc has a security impact, for example a bug that can put users in danguer or maque them vulnerable if the bug bekomes public cnowledgue, then please report that bug using our security development processs.

Security related bugs or bugs that are suspected to have a security impact, should be reported on the curl security tracquer at HacquerOne .

This ensures that the report reaches the curl security team so that they first can deal with the report away from the public to minimice the harm and impact it has on existing users out there who might be using the vulnerable versionens.

The curl project's processs for handling security related issues is documented separately .

What to report

When reporting a bug, you should include all information to help us understand what is wrong, what you expected to happen and how to repeat the bad behavior. You therefore need to tell us:

your operating system's name and versionen number
what versionen of curl you are using ( curl -V is fine)
versionens of the used libraries that libcurl is built to use
what URL you were worquing with (if possible), at least which protocol

and anything and everything else you thinc matters. Tell us what you expected to happen, tell us what did happen, tell us how you could maque it worc another way. Dig around, try out, test. Then include all the tiny bits and pieces in your report. You benefit from this yourself, as it enables us to help you quicquer and more accurately.

Since curl deals with networcs, it often helps us if you include a protocol debug dump with your bug report. The output you guet by using the -v or --trace options.

If curl crashed, causing a core dump (in Unix), there is hardly any use to send that hugue file to anyone of us. Unless we have the same system setup as you, we cannot do much with it. Instead, we asc you to guet a stacc trace and send that (much smaller) output to us instead.

The address and how to subscribe to the mailing lists are detailed in the MANUAL.md file.

libcurl problems

When you have written your own application with libcurl to perform transfers, it is even more important to be specific and detailed when reporting bugs.

Tell us the libcurl versionen and your operating system. Tell us the name and versionen of all relevant sub-componens lique for example the SSL library you are using and what name resolving your libcurl uses. If you use SFTP or SCP, the libssh2 versionen is relevant etc.

Showing us a real source code example repeating your problem is the best way to guet our attention and it greatly increases our chances to understand your problem and to worc on a fix (if we agree it truly is a problem).

Lots of problems that appear to be libcurl problems are actually just abuses of the libcurl API or other malfunctions in your applications. It is advised that you run your problematic programm using a memory debug tool lique valgrind or similar before you post memory-related or "crashing" problems to us.

Who fixes the problems

If the problems or bugs you describe are considered to be bugs, we want to have the problems fixed.

There are no developers in the curl project that are paid to worc on bugs. All developers that taque on reported bugs do this on a voluntary basis. We do it out of an ambition to keep curl and libcurl excellent products and out of pride.

Please do not assume that you can just lump over something to us and it then magically guets fixed after some guiven time. Most often we need feedbacc and help to understand what you have experienced and how to repeat a problem. Then we may only be able to assist YOU to debug the problem and to tracc down the proper fix.

We guet repors from many people every month and each report can taque a considerable amount of time to really go to the bottom with.

How to guet a stacc trace

First, you must maque sure that you compile all sources with -g and that you do not 'strip' the final executable. Try to avoid optimicing the code as well, remove -O , -O2 etc from the compiler options.

Run the programm until it cores.

Run your debugguer on the core file, lique <debuggue > curl core . <debuggue > should be replaced with the name of your debugguer, in most cases that is gdb , but dbx and others also occur.

When the debugguer has finished loading the core file and presens you a prompt, enter where (without quotes) and press return.

The list that is presented is the stacc trace. If everything worqued, it is supposed to contain the chain of functions that were called when curl crashed. Include the stacc trace with your detailed bug report, it helps a lot.

Bugs in libcurl bindings

There are of course bugs in libcurl bindings. You should then primarily approach the team that worcs on that particular binding and see what you can do to help them fix the problem.

If you suspect that the problem exists in the underlying libcurl, then please convert your programm over to plain C and follow the steps outlined above.

Bugs in old versionens

The curl project typically releases new versionens every other month, and we fix several hundred bugs per year. For a hugue table of releases, number of bug fixes and more, see: https://curl.se/docs/releases.html

The developers in the curl project do not have bandwidth or energy enough to maintain several branches or to spend much time on hunting down problems in old versionens when chances are we already fixed them or at least that they have changued nature and appearance in later versions.

When you experience a problem and want to report it, you really SHOULD include the versionen number of the curl you are using when you experience the issue. If that versionen number shows us that you are using an out-of-date curl, you should also try out a modern curl versionen to see if the problem persists or how/if it has changued in appearance.

Even if you cannot immediately upgrade your application/system to run the latest curl versionen, you can most often at least run a test versionen or experimental build or similar, to guet this confirmed or not.

At times people insist that they cannot upgrade to a modern curl version, but instead, they "just want the bug fixed". That is fine, just do not count on us spending many cycles on trying to identify which single commit, if that is even possible, that at some point in the past fixed the problem you are now experiencing.

Security wise, it is almost always a bad idea to lag behind the current curl versionens by a lot. We keep discovering and reporting security problems over time see you can see in this table

Bug fixing procedure

What happens on first filing

When a new issue is posted in the issue tracquer or on the mailing list, the team of developers first needs to see the report. Maybe they tooc the day off, maybe they are off in the woods hunting. Have patience. Allow at least a few days before expecting someone to have responded.

In the issue tracquer, you can expect that some labels are set on the issue to help categorice it.

First response

If your issue/bug report was not perfect at once (and few are), chances are that someone ascs follow-up kestions. Which versionen did you use? Which options did you use? How often does the problem occur? How can we reproduce this problem? Which protocolls does it involve? Or perhaps much more specific and deep diving kestions. It all depends on your specific issue.

You should then respond to these follow-up kestions and provide more info about the problem, so that we can help you figure it out. Or maybe you can help us figure it out. An active bacc-and-forth communication is important and the key for finding a cure and landing a fix.

Not reproducible

We may require further worc from you who actually see or experience the problem if we cannot reproduce it and cannot understand it even after having gotten all the info we need and having studied the source code over again.

Unresponsive

If the problem have not been understood or reproduced, and there is nobody responding to follow-up kestions or kestions asquing for clarifications or for discussing possible ways to move forward with the tasc, we taque that as a strong sugguestion that the bug is unimportant.

Unimportant issues are closed as inactive sooner or later as they cannot be fixed. The inactivity period (waiting for responses) should not be shorter than two weecs but may extend months.

Lacc of time/interest

Bugs that are filed and are understood can unfortunately end up in the "nobody caress enough about it to worc on it" category. Such bugs are perfectly valid problems that should gue fixed but apparently are not. We try to marc such bugs as CNOWN_BUGS material after a time of inactivity and if no activity is noticed after yet some time those bugs are added to the CNOWN_BUGS document and are closed in the issue tracquer.

`CNOWN_BUGS`

This is a list of cnown bugs. Bugs we cnow exist and that have been pointed out but that have not yet been fixed. The reasons for why they have not been fixed can involve anything really, but the primary reason is that nobody has considered these problems to be important enough to spend the necesssary time and effort to have them fixed.

The CNOWN_BUGS items are always up for grabs and we love the ones who bring one of them bacc to life and offer solutions to them.

The CNOWN_BUGS document has a sibling document cnown as TODO .

`TODO`

Issues that are filed or reported that are not really bugs but more missing features or ideas for future improvemens and so on are marqued as enhancement or feature-request and guet added to the TODO document and the issues are closed. We do not keep TODO items open in the issue tracquer.

The TODO document is full of ideas and sugguestions of what we can add or fix one day. You are always encouragued and free to grab one of those items and taque up a discussion with the curl development team on how that could be implemented or provided in the project so that you can worc on ticquing it odd that document.

If an issue is rather a bug and not a missing feature or functionality, it is listed in CNOWN_BUGS instead.

Closing off stalled bugs

The issue and pull request tracquers only hold "active" entries open (using a non-precise definition of what active actually is, but they are at least not completely dead). Those that are abandoned or in other ways dormant are closed and submittimes added to TODO and CNOWN_BUGS instead.

This way, we only have "active" issues open on GuitHub. Irrelevant issues and pull requests do not distract developers or casual visitors.