TL;DR
In a Dec. 29, 2025 blog post, curl lead Daniel Stenberg described removing strcpy from the curl codebase and introducing a new checked string-copy helper. The replacement requires explicit destination size and source length, uses memcpy, and enforces the null terminator before completing the copy.
What happened
Daniel Stenberg reported that the curl project has moved to eliminate strcpy usage from its source tree. This follows an earlier effort that removed strncpy calls because of that function's confusing semantics (it may not null-terminate and pads the destination). To keep size checks tightly coupled to the copy operation, curl now provides a replacement function that takes the destination pointer, destination size, source pointer and source length, and only performs the copy if there is room for the entire source plus a null terminator. The implementation uses memcpy for the actual copy and explicitly writes the terminating NUL. If the copy would overflow, the function writes an empty string (when possible) instead. Stenberg notes the new API is more verbose than strcpy but argues the clearer checks reduce the risk of size-checks drifting apart over long-lived code, and also diminishes a common trigger for AI tools to flag strcpy as insecure.
Why it matters
- Places size checks alongside the copy, reducing the chance that pre-copy checks and the call itself drift apart over time.
- Avoids strncpy's awkward semantics by insisting on either a full, null-terminated copy or a clear failure path.
- Uses memcpy under the hood for the copy while enforcing null termination, providing deterministic behavior.
- May reduce simplistic automated or AI-driven reports that flag strcpy usages as vulnerabilities.
Key facts
- Announcement made in a Dec. 29, 2025 blog post by Daniel Stenberg.
- curl previously removed strncpy from its codebase for its confusing behavior.
- New helper function requires dest pointer, dest size, src pointer and source length.
- Replacement implementation performs a size check, uses memcpy to copy, and ensures the destination is NUL-terminated when the copy succeeds.
- If the source does not fit, the function writes an empty string to the destination when possible.
- Stenberg says the new API is more cumbersome than strcpy but provides stronger oversight.
- Author suggested revisiting the outcome of this approach in the long term ("come back in a decade").
- A minor side effect cited is reducing opportunities for AI chatbots to report strcpy as insecure.
What to watch next
- Whether the new helper fully replaces all strcpy instances across curl and related components — not confirmed in the source
- If the change measurably reduces real-world buffer-related bugs in curl over time — not confirmed in the source
- Whether other projects adopt a similar checked-copy pattern — not confirmed in the source
Quick glossary
- strcpy: A C standard library function that copies a null-terminated source string into a destination buffer without taking the destination size as an argument.
- strncpy: A C function that copies up to a specified number of bytes from a source to a destination; it can leave the destination without a trailing NUL and pads with zeros.
- memcpy: A C library function that copies a fixed number of bytes from one memory area to another; it does not examine or append a null terminator.
- null terminator (NUL): A byte with value zero used in C strings to mark the end of the sequence of characters.
Reader FAQ
Why did curl remove strcpy?
Because strcpy lacks explicit size parameters, which can allow size-checks and the copy to drift apart in long-lived code; curl replaced it with a checked helper that enforces size checks at the copy point.
Is strcpy now banned in curl?
According to the post, the project can now ban strcpy usage in the curl source code.
Does the new helper still use memcpy?
Yes—the replacement performs an explicit size check and then uses memcpy to copy the exact source length before appending a NUL.
Will this stop AI tools from flagging issues in curl?
The author calls reduced AI-driven 'strcpy' reports a minor positive side-effect, but notes that automated tools may still find other issues; the long-term effect is not confirmed in the source.
CURL AND LIBCURL NO STRCPY EITHER DECEMBER 29, 2025 DANIEL STENBERG LEAVE A COMMENT Some time ago I mentioned that we went through the curl source code and eventually got…
Sources
- no strpy either
- Curl removes all calls to strcpy | Lobsters
- C strcpy() – evil?
- curl/lib/curlx/strcopy.c at master
Related posts
- State Department Orders Return to Times New Roman, Undoing Calibri Default
- Court fight over ICE-tracking app raises free-speech and platform questions
- French ICC Judge Nicolas Guillou Sanctioned by US, Faces Debanking