Why are people still using libcurl?
Because it is liberally licensed, robust, supports many protocols, and is performant and efficient?
All true, but it’s not a completely invalid question. What people want from libcurl and what libcurl gives aren’t exact matches. It’s not the fault of libcurl that input validation wasn’t done, but the fact that such mistakes keep recurring suggests that even if we don’t want to reevaluate the design of the library, we should reevaluate the decision to use it in these scenarios.
Or to rephrase, why do these mistakes keep happening? Or more exactly, why don’t people know they need to validate libcurl inputs?
I certainly think that difficult interfaces can and should be rethought (libtls is a great example of this). Sane defaults are also very important. In addition, software generally tends to only grow in features and complexity over time (I mean, libcurl supports POP3, LDAP, and SMTP? Kinda weird!).
I imagine the world would be well served by a cleaner interface for libcurl, or even just better defaults (maybe CURLOPT_PROTOCOLS set to HTTP/HTTPS by default instead of CURLPROTO_ALL).
That’s the kind of change that has to be done in a new major version, and I can imagine the curl developers would be reluctant to do that.
Agreed, and I’d say we should teach people to validate every inputs to their web apps.
As the saying goes, you can always build better tools, but someone will make a better idiot.