diff options
Diffstat (limited to 'docs/TODO')
| -rw-r--r-- | docs/TODO | 108 |
1 files changed, 78 insertions, 30 deletions
@@ -17,12 +17,13 @@ All bugs documented in the KNOWN_BUGS document are subject for fixing! 1. libcurl + 1.1 Option to refuse usernames in URLs 1.2 More data sharing 1.3 struct lifreq 1.4 signal-based resolver timeouts 1.5 get rid of PATH_MAX 1.6 Modified buffer size approach - 1.7 Detect when called from within callbacks + 1.7 Support HTTP/2 for HTTP(S) proxies 1.8 CURLOPT_RESOLVE for any port number 1.9 Cache negative name resolves 1.10 auto-detect proxy @@ -40,6 +41,8 @@ 1.23 Offer API to flush the connection pool 1.24 TCP Fast Open for windows 1.25 Expose tried IP addresses that failed + 1.26 CURL_REFUSE_CLEARTEXT + 1.27 hardcode the "localhost" addresses 2. libcurl - multi interface 2.1 More non-blocking @@ -65,7 +68,6 @@ 5.1 Better persistency for HTTP 1.0 5.2 support FF3 sqlite cookie files 5.3 Rearrange request header order - 5.4 HTTP Digest using SHA-256 5.5 auth= in URLs 5.6 Refuse "downgrade" redirects 5.7 QUIC @@ -103,13 +105,12 @@ 13. SSL 13.1 Disable specific versions 13.2 Provide mutex locking API - 13.3 Evaluate SSL patches + 13.3 Support in-memory certs/ca certs/keys 13.4 Cache/share OpenSSL contexts 13.5 Export session ids 13.6 Provide callback for cert verification 13.7 improve configure --with-ssl 13.8 Support DANE - 13.10 Support SSLKEYLOGFILE 13.11 Support intermediate & root pinning for PINNEDPUBLICKEY 13.12 Support HSTS 13.13 Support HPKP @@ -139,7 +140,9 @@ 18.2 glob posts 18.3 prevent file overwriting 18.4 simultaneous parallel transfers + 18.5 UTF-8 filenames in Content-Disposition 18.6 warning when setting an option + 18.7 warning if curl version is not in sync with libcurl version 18.8 offer color-coded HTTP header output 18.9 Choose the name of file in braces for complex URLs 18.10 improve how curl works in a windows console window @@ -150,6 +153,7 @@ 18.15 --retry should resume 18.16 send only part of --data 18.17 consider file name from the redirected URL with -O ? + 18.18 retry on network is unreachable 19. Build 19.1 roffit @@ -182,6 +186,16 @@ 1. libcurl +1.1 Option to refuse usernames in URLs + + There's a certain risk for application in allowing user names in URLs. For + example: if the wrong person gets to set the URL and manages to set a user + name in there when .netrc is used, the application may send along a password + that otherwise the person couldn't provide. + + A new libcurl option could be added to allow applications to switch off this + feature and thus avoid a potential risk. + 1.2 More data sharing curl_share_* functions already exist and work, and they can be extended to @@ -236,11 +250,9 @@ Dynamically allocate buffer size depending on protocol in use in combination with freeing it after each individual transfer? Other suggestions? -1.7 Detect when called from within callbacks +1.7 Support HTTP/2 for HTTP(S) proxies - We should set a state variable before calling callbacks, so that we - subsequently can add code within libcurl that returns error if called within - callbacks for when that's not supported. + Support for doing HTTP/2 to HTTP and HTTPS proxies is still missing. 1.8 CURLOPT_RESOLVE for any port number @@ -393,6 +405,32 @@ https://github.com/curl/curl/issues/2126 +1.26 CURL_REFUSE_CLEARTEXT + + An environment variable that when set will make libcurl refuse to use any + cleartext network protocol. That's all non-encrypted ones (FTP, HTTP, Gopher, + etc). By adding the check to libcurl and not just curl, this environment + variable can then help users to block all libcurl-using programs from + accessing the network using unsafe protocols. + + The variable could be given some sort of syntax or different levels and be + used to also allow for example users to refuse libcurl to do transfers with + HTTPS certificate checks disabled. + + It could also offer to refuse usernames in URLs (see TODO 1.1) + +1.27 hardcode the "localhost" addresses + + There's this new spec getting adopted that says "localhost" should always and + unconditionally be a local address and not get resolved by a DNS server. A + fine way for curl to fix this would be to simply hard-code the response to + 127.0.0.1 and/or ::1 (depending on what IP versions that are requested). This + is what the browsers probably will do with this hostname. + + https://bugzilla.mozilla.org/show_bug.cgi?id=1220810 + + https://tools.ietf.org/html/draft-ietf-dnsop-let-localhost-be-localhost-02 + 2. libcurl - multi interface 2.1 More non-blocking @@ -521,15 +559,6 @@ headers use a default value so only headers that need to be moved have to be specified. -5.4 HTTP Digest using SHA-256 - - RFC 7616 introduces an update to the HTTP Digest authentication - specification, which amongst other thing defines how new digest algorithms - can be used instead of MD5 which is considered old and not recommended. - - See https://tools.ietf.org/html/rfc7616 and - https://github.com/curl/curl/issues/1018 - 5.5 auth= in URLs Add the ability to specify the preferred authentication mechanism to use by @@ -676,10 +705,13 @@ that doesn't exist on the server, just like --ftp-create-dirs. library, so that the same application code can use mutex-locking independently of OpenSSL or GnutTLS being used. -13.3 Evaluate SSL patches +13.3 Support in-memory certs/ca certs/keys - Evaluate/apply Gertjan van Wingerde's SSL patches: - https://curl.haxx.se/mail/lib-2004-03/0087.html + You can specify the private and public keys for SSH/SSL as file paths. Some + programs want to avoid using files and instead just pass them as in-memory + data blobs. There's probably a challenge to make this work across the + plethory of different TLS and SSH backends that curl suppports. + https://github.com/curl/curl/issues/2310 13.4 Cache/share OpenSSL contexts @@ -731,16 +763,6 @@ that doesn't exist on the server, just like --ftp-create-dirs. Björn Stenberg wrote a separate initial take on DANE that was never completed. -13.10 Support SSLKEYLOGFILE - - When used, Firefox and Chrome dumps their master TLS keys to the file name - this environment variable specifies. This allows tools like for example - Wireshark to capture and decipher TLS traffic to/from those clients. libcurl - could be made to support this more widely (presumably this already works when - built with NSS). Peter Wu made a OpenSSL preload to make possible that can be - used as inspiration and guidance - https://git.lekensteyn.nl/peter/wireshark-notes/tree/src/sslkeylog.c - 13.11 Support intermediate & root pinning for PINNEDPUBLICKEY CURLOPT_PINNEDPUBLICKEY does not consider the hashes of intermediate & root @@ -908,12 +930,26 @@ that doesn't exist on the server, just like --ftp-create-dirs. Using the multi interface would also allow properly using parallel transfers with HTTP/2 and supporting HTTP/2 server push from the command line. +18.5 UTF-8 filenames in Content-Disposition + + RFC 6266 documents how UTF-8 names can be passed to a client in the + Content-Disposition header, and curl does not support this. + + https://github.com/curl/curl/issues/1888 + 18.6 warning when setting an option Display a warning when libcurl returns an error when setting an option. This can be useful to tell when support for a particular feature hasn't been compiled into the library. +18.7 warning if curl version is not in sync with libcurl version + + This is usually a sign of a funny, weird or unexpected install situations + that aren't always quickly nor easily detected by users. curl and libcurl are + always released in sync and should use the same version numbers unless very + special situations. + 18.8 offer color-coded HTTP header output By offering different color output on the header name and the header @@ -1015,6 +1051,18 @@ that doesn't exist on the server, just like --ftp-create-dirs. See https://github.com/curl/curl/issues/1241 +18.18 retry on network is unreachable + + The --retry option retries transfers on "transient failures". We later added + --retry-connrefused to also retry for "connection refused" errors. + + Suggestions have been brought to also allow retry on "network is unreachable" + errors and while totally reasonable, maybe we should consider a way to make + this more configurable than to add a new option for every new error people + want to retry for? + + https://github.com/curl/curl/issues/1603 + 19. Build 19.1 roffit |