Renaud Allard

Yes, it did work for me. Even if it doesn't contain private data, everything should still be in https to prevent snooping.

It seems the answer from curl people is mixed. If you set an option like CURLOPT_POSTFIELDS to point to something bad, I don't think you should assume that libcurl won't use it simply because you have also set CURLOPT_HTTPGET. I agree that ideally libcurl should just ignore that pointer in this case, but I don't think that's a good reason for an application to keep a stale pointer set for curl. PR coming up.

Bug submitted in curl: https://github.com/curl/curl/issues/3548

libcurl is the same as on linux, there is no specific one for BSD. I made this change because the segfault was in a httpGet request but using some post options in libcurl. Why is POST called in GET, I have no idea, I would need to understand the whole code of esniper to find that. Hence why I opened the bug report, there is something wrong somewhere, but I have not enough experience in libcurl or esniper to find it. Besides, "esniper -m" always ends without any result, even if there are some tings...

It seems this patch solves those crashes, but the issue must be deeper --- http.c.orig Sun Jun 17 19:26:57 2018 +++ http.c Fri Feb 1 15:24:53 2019 @@ -162,8 +162,10 @@ return httpRequestFailed(mp); if (rt == GET) { - if ((curlrc = curl_easy_setopt(easyhandle, CURLOPT_HTTPGET, 1))) + if ((curlrc = curl_easy_setopt(easyhandle, CURLOPT_POSTFIELDSIZE, 0))) return httpRequestFailed(mp); + if ((curlrc = curl_easy_setopt(easyhandle, CURLOPT_HTTPGET, 1L))) + return httpRequestFailed(mp); } else { log(("%s",...

esniper segfaults on OpenBSD 6.4

auction.c hardcoded http without ssl