While @bagder closed this curl H1 report, this behavior may lead to some interesting vulns ITW:

https://hackerone.com/reports/2550951

It's worth to watch what DEVCORE is doing ;)

@buherator @bagder Nice bug. I agree that curl is the "victim" here. If the underlying OS is doing dumb shit, then it's hard to circumvent that. Especially since the application is sitting "on top" of the OS and not below. At the same time, when there's a widespread pattern of insecure code and the lower layer (the OS) is known not to fix it or not fast enough, there's value in providing temporary hacks as a mitigation.

But yeah, that's a tough call :)