TODO 47 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312
  1. _ _ ____ _
  2. ___| | | | _ \| |
  3. / __| | | | |_) | |
  4. | (__| |_| | _ <| |___
  5. \___|\___/|_| \_\_____|
  6. Things that could be nice to do in the future
  7. Things to do in project curl. Please tell us what you think, contribute and
  8. send us patches that improve things.
  9. Be aware that these are things that we could do, or have once been considered
  10. things we could do. If you want to work on any of these areas, please
  11. consider bringing it up for discussions first on the mailing list so that we
  12. all agree it is still a good idea for the project.
  13. All bugs documented in the KNOWN_BUGS document are subject for fixing.
  14. 1. libcurl
  15. 1.1 TFO support on Windows
  16. 1.2 Consult %APPDATA% also for .netrc
  17. 1.3 struct lifreq
  18. 1.4 alt-svc sharing
  19. 1.5 get rid of PATH_MAX
  20. 1.6 native IDN support on macOS
  21. 1.7 Support HTTP/2 for HTTP(S) proxies
  22. 1.8 CURLOPT_RESOLVE for any port number
  23. 1.9 Cache negative name resolves
  24. 1.10 auto-detect proxy
  25. 1.11 minimize dependencies with dynamically loaded modules
  26. 1.12 updated DNS server while running
  27. 1.13 c-ares and CURLOPT_OPENSOCKETFUNCTION
  28. 1.15 Monitor connections in the connection pool
  29. 1.16 Try to URL encode given URL
  30. 1.17 Add support for IRIs
  31. 1.18 try next proxy if one does not work
  32. 1.19 provide timing info for each redirect
  33. 1.20 SRV and URI DNS records
  34. 1.21 netrc caching and sharing
  35. 1.22 CURLINFO_PAUSE_STATE
  36. 1.23 Offer API to flush the connection pool
  37. 1.25 Expose tried IP addresses that failed
  38. 1.28 FD_CLOEXEC
  39. 1.29 Upgrade to websockets
  40. 1.30 config file parsing
  41. 1.31 erase secrets from heap/stack after use
  42. 1.32 add asynch getaddrinfo support
  43. 2. libcurl - multi interface
  44. 2.1 More non-blocking
  45. 2.2 Better support for same name resolves
  46. 2.3 Non-blocking curl_multi_remove_handle()
  47. 2.4 Split connect and authentication process
  48. 2.5 Edge-triggered sockets should work
  49. 2.6 multi upkeep
  50. 2.7 Virtual external sockets
  51. 2.8 dynamically decide to use socketpair
  52. 3. Documentation
  53. 3.1 Improve documentation about fork safety
  54. 3.2 Provide cmake config-file
  55. 4. FTP
  56. 4.1 HOST
  57. 4.2 Alter passive/active on failure and retry
  58. 4.3 Earlier bad letter detection
  59. 4.4 Support CURLOPT_PREQUOTE for dir listings too
  60. 4.5 ASCII support
  61. 4.6 GSSAPI via Windows SSPI
  62. 4.7 STAT for LIST without data connection
  63. 5. HTTP
  64. 5.1 Provide the error body from a CONNNECT response
  65. 5.2 Set custom client ip when using haproxy protocol
  66. 5.3 Rearrange request header order
  67. 5.4 Allow SAN names in HTTP/2 server push
  68. 5.5 auth= in URLs
  69. 5.6 alt-svc should fallback if alt-svc does not work
  70. 5.7 Require HTTP version X or higher
  71. 6. TELNET
  72. 6.1 ditch stdin
  73. 6.2 ditch telnet-specific select
  74. 6.3 feature negotiation debug data
  75. 6.4 exit immediately upon connection if stdin is /dev/null
  76. 7. SMTP
  77. 7.1 Passing NOTIFY option to CURLOPT_MAIL_RCPT
  78. 7.2 Enhanced capability support
  79. 7.3 Add CURLOPT_MAIL_CLIENT option
  80. 8. POP3
  81. 8.2 Enhanced capability support
  82. 9. IMAP
  83. 9.1 Enhanced capability support
  84. 10. LDAP
  85. 10.1 SASL based authentication mechanisms
  86. 10.2 CURLOPT_SSL_CTX_FUNCTION for LDAPS
  87. 10.3 Paged searches on LDAP server
  88. 11. SMB
  89. 11.1 File listing support
  90. 11.2 Honor file timestamps
  91. 11.3 Use NTLMv2
  92. 11.4 Create remote directories
  93. 12. FILE
  94. 12.1 Directory listing for FILE:
  95. 13. TLS
  96. 13.1 TLS-PSK with OpenSSL
  97. 13.2 Provide mutex locking API
  98. 13.3 Defeat TLS fingerprinting
  99. 13.4 Cache/share OpenSSL contexts
  100. 13.5 Export session ids
  101. 13.6 Provide callback for cert verification
  102. 13.7 Less memory massaging with Schannel
  103. 13.8 Support DANE
  104. 13.9 TLS record padding
  105. 13.10 Support Authority Information Access certificate extension (AIA)
  106. 13.11 Support intermediate & root pinning for PINNEDPUBLICKEY
  107. 13.12 Reduce CA certificate bundle reparsing
  108. 13.13 Make sure we forbid TLS 1.3 post-handshake authentication
  109. 13.14 Support the clienthello extension
  110. 14. GnuTLS
  111. 14.2 check connection
  112. 15. Schannel
  113. 15.1 Extend support for client certificate authentication
  114. 15.2 Extend support for the --ciphers option
  115. 15.4 Add option to allow abrupt server closure
  116. 16. SASL
  117. 16.1 Other authentication mechanisms
  118. 16.2 Add QOP support to GSSAPI authentication
  119. 17. SSH protocols
  120. 17.1 Multiplexing
  121. 17.2 Handle growing SFTP files
  122. 17.3 Read keys from ~/.ssh/id_ecdsa, id_ed25519
  123. 17.4 Support CURLOPT_PREQUOTE
  124. 17.5 SSH over HTTPS proxy with more backends
  125. 17.6 SFTP with SCP://
  126. 18. Command line tool
  127. 18.1 sync
  128. 18.2 glob posts
  129. 18.4 --proxycommand
  130. 18.5 UTF-8 filenames in Content-Disposition
  131. 18.6 Option to make -Z merge lined based outputs on stdout
  132. 18.8 Consider convenience options for JSON and XML?
  133. 18.9 Choose the name of file in braces for complex URLs
  134. 18.10 improve how curl works in a windows console window
  135. 18.11 Windows: set attribute 'archive' for completed downloads
  136. 18.12 keep running, read instructions from pipe/socket
  137. 18.13 Ratelimit or wait between serial requests
  138. 18.14 --dry-run
  139. 18.15 --retry should resume
  140. 18.16 send only part of --data
  141. 18.17 consider file name from the redirected URL with -O ?
  142. 18.18 retry on network is unreachable
  143. 18.19 expand ~/ in config files
  144. 18.20 host name sections in config files
  145. 18.21 retry on the redirected-to URL
  146. 18.23 Set the modification date on an uploaded file
  147. 18.24 Use multiple parallel transfers for a single download
  148. 18.25 Prevent terminal injection when writing to terminal
  149. 18.26 Custom progress meter update interval
  150. 19. Build
  151. 19.1 roffit
  152. 19.2 Enable PIE and RELRO by default
  153. 19.3 Do not use GNU libtool on OpenBSD
  154. 19.4 Package curl for Windows in a signed installer
  155. 19.5 make configure use --cache-file more and better
  156. 20. Test suite
  157. 20.1 SSL tunnel
  158. 20.2 nicer lacking perl message
  159. 20.3 more protocols supported
  160. 20.4 more platforms supported
  161. 20.5 Add support for concurrent connections
  162. 20.6 Use the RFC6265 test suite
  163. 20.7 Support LD_PRELOAD on macOS
  164. 20.8 Run web-platform-tests URL tests
  165. 21. MQTT
  166. 21.1 Support rate-limiting
  167. ==============================================================================
  168. 1. libcurl
  169. 1.1 TFO support on Windows
  170. libcurl supports the CURLOPT_TCP_FASTOPEN option since 7.49.0 for Linux and
  171. Mac OS. Windows supports TCP Fast Open starting with Windows 10, version 1607
  172. and we should add support for it.
  173. TCP Fast Open is supported on several platforms but not on Windows. Work on
  174. this was once started but never finished.
  175. See https://github.com/curl/curl/pull/3378
  176. 1.2 Consult %APPDATA% also for .netrc
  177. %APPDATA%\.netrc is not considered when running on Windows. should not it?
  178. See https://github.com/curl/curl/issues/4016
  179. 1.3 struct lifreq
  180. Use 'struct lifreq' and SIOCGLIFADDR instead of 'struct ifreq' and
  181. SIOCGIFADDR on newer Solaris versions as they claim the latter is obsolete.
  182. To support IPv6 interface addresses for network interfaces properly.
  183. 1.4 alt-svc sharing
  184. The share interface could benefit from allowing the alt-svc cache to be
  185. possible to share between easy handles.
  186. See https://github.com/curl/curl/issues/4476
  187. 1.5 get rid of PATH_MAX
  188. Having code use and rely on PATH_MAX is not nice:
  189. https://insanecoding.blogspot.com/2007/11/pathmax-simply-isnt.html
  190. Currently the libssh2 SSH based code uses it, but to remove PATH_MAX from
  191. there we need libssh2 to properly tell us when we pass in a too small buffer
  192. and its current API (as of libssh2 1.2.7) does not.
  193. 1.6 native IDN support on macOS
  194. On recent macOS versions, the getaddrinfo() function itself has built-in IDN
  195. support. By setting the AI_CANONNAME flag, the function will return the
  196. encoded name in the ai_canonname struct field in the returned information.
  197. This could be used by curl on macOS when built without a separate IDN library
  198. and an IDN host name is used in a URL.
  199. See initial work in https://github.com/curl/curl/pull/5371
  200. 1.7 Support HTTP/2 for HTTP(S) proxies
  201. Support for doing HTTP/2 to HTTP and HTTPS proxies is still missing.
  202. See https://github.com/curl/curl/issues/3570
  203. 1.8 CURLOPT_RESOLVE for any port number
  204. This option allows applications to set a replacement IP address for a given
  205. host + port pair. Consider making support for providing a replacement address
  206. for the host name on all port numbers.
  207. See https://github.com/curl/curl/issues/1264
  208. 1.9 Cache negative name resolves
  209. A name resolve that has failed is likely to fail when made again within a
  210. short period of time. Currently we only cache positive responses.
  211. 1.10 auto-detect proxy
  212. libcurl could be made to detect the system proxy setup automatically and use
  213. that. On Windows, macOS and Linux desktops for example.
  214. The pull-request to use libproxy for this was deferred due to doubts on the
  215. reliability of the dependency and how to use it:
  216. https://github.com/curl/curl/pull/977
  217. libdetectproxy is a (C++) library for detecting the proxy on Windows
  218. https://github.com/paulharris/libdetectproxy
  219. 1.11 minimize dependencies with dynamically loaded modules
  220. We can create a system with loadable modules/plug-ins, where these modules
  221. would be the ones that link to 3rd party libs. That would allow us to avoid
  222. having to load ALL dependencies since only the necessary ones for this
  223. app/invoke/used protocols would be necessary to load. See
  224. https://github.com/curl/curl/issues/349
  225. 1.12 updated DNS server while running
  226. If /etc/resolv.conf gets updated while a program using libcurl is running, it
  227. is may cause name resolves to fail unless res_init() is called. We should
  228. consider calling res_init() + retry once unconditionally on all name resolve
  229. failures to mitigate against this. Firefox works like that. Note that Windows
  230. does not have res_init() or an alternative.
  231. https://github.com/curl/curl/issues/2251
  232. 1.13 c-ares and CURLOPT_OPENSOCKETFUNCTION
  233. curl will create most sockets via the CURLOPT_OPENSOCKETFUNCTION callback and
  234. close them with the CURLOPT_CLOSESOCKETFUNCTION callback. However, c-ares
  235. does not use those functions and instead opens and closes the sockets
  236. itself. This means that when curl passes the c-ares socket to the
  237. CURLMOPT_SOCKETFUNCTION it is not owned by the application like other sockets.
  238. See https://github.com/curl/curl/issues/2734
  239. 1.15 Monitor connections in the connection pool
  240. libcurl's connection cache or pool holds a number of open connections for the
  241. purpose of possible subsequent connection reuse. It may contain a few up to a
  242. significant amount of connections. Currently, libcurl leaves all connections
  243. as they are and first when a connection is iterated over for matching or
  244. reuse purpose it is verified that it is still alive.
  245. Those connections may get closed by the server side for idleness or they may
  246. get an HTTP/2 ping from the peer to verify that they are still alive. By
  247. adding monitoring of the connections while in the pool, libcurl can detect
  248. dead connections (and close them) better and earlier, and it can handle
  249. HTTP/2 pings to keep such ones alive even when not actively doing transfers
  250. on them.
  251. 1.16 Try to URL encode given URL
  252. Given a URL that for example contains spaces, libcurl could have an option
  253. that would try somewhat harder than it does now and convert spaces to %20 and
  254. perhaps URL encoded byte values over 128 etc (basically do what the redirect
  255. following code already does).
  256. https://github.com/curl/curl/issues/514
  257. 1.17 Add support for IRIs
  258. IRIs (RFC 3987) allow localized, non-ascii, names in the URL. To properly
  259. support this, curl/libcurl would need to translate/encode the given input
  260. from the input string encoding into percent encoded output "over the wire".
  261. To make that work smoothly for curl users even on Windows, curl would
  262. probably need to be able to convert from several input encodings.
  263. 1.18 try next proxy if one does not work
  264. Allow an application to specify a list of proxies to try, and failing to
  265. connect to the first go on and try the next instead until the list is
  266. exhausted. Browsers support this feature at least when they specify proxies
  267. using PACs.
  268. https://github.com/curl/curl/issues/896
  269. 1.19 provide timing info for each redirect
  270. curl and libcurl provide timing information via a set of different
  271. time-stamps (CURLINFO_*_TIME). When curl is following redirects, those
  272. returned time value are the accumulated sums. An improvement could be to
  273. offer separate timings for each redirect.
  274. https://github.com/curl/curl/issues/6743
  275. 1.20 SRV and URI DNS records
  276. Offer support for resolving SRV and URI DNS records for libcurl to know which
  277. server to connect to for various protocols (including HTTP).
  278. 1.21 netrc caching and sharing
  279. The netrc file is read and parsed each time a connection is setup, which
  280. means that if a transfer needs multiple connections for authentication or
  281. redirects, the file might be reread (and parsed) multiple times. This makes
  282. it impossible to provide the file as a pipe.
  283. 1.22 CURLINFO_PAUSE_STATE
  284. Return information about the transfer's current pause state, in both
  285. directions. https://github.com/curl/curl/issues/2588
  286. 1.23 Offer API to flush the connection pool
  287. Sometimes applications want to flush all the existing connections kept alive.
  288. An API could allow a forced flush or just a forced loop that would properly
  289. close all connections that have been closed by the server already.
  290. 1.25 Expose tried IP addresses that failed
  291. When libcurl fails to connect to a host, it could offer the application the
  292. addresses that were used in the attempt. Source + dest IP, source + dest port
  293. and protocol (UDP or TCP) for each failure. Possibly as a callback. Perhaps
  294. also provide "reason".
  295. https://github.com/curl/curl/issues/2126
  296. 1.28 FD_CLOEXEC
  297. It sets the close-on-exec flag for the file descriptor, which causes the file
  298. descriptor to be automatically (and atomically) closed when any of the
  299. exec-family functions succeed. Should probably be set by default?
  300. https://github.com/curl/curl/issues/2252
  301. 1.29 Upgrade to websockets
  302. libcurl could offer a smoother path to get to a websocket connection.
  303. See https://github.com/curl/curl/issues/3523
  304. Michael Kaufmann suggestion here:
  305. https://curl.se/video/curlup-2017/2017-03-19_05_Michael_Kaufmann_Websocket_support_for_curl.mp4
  306. 1.30 config file parsing
  307. Consider providing an API, possibly in a separate companion library, for
  308. parsing a config file like curl's -K/--config option to allow applications to
  309. get the same ability to read curl options from files.
  310. See https://github.com/curl/curl/issues/3698
  311. 1.31 erase secrets from heap/stack after use
  312. Introducing a concept and system to erase secrets from memory after use, it
  313. could help mitigate and lessen the impact of (future) security problems etc.
  314. However: most secrets are passed to libcurl as clear text from the
  315. application and then clearing them within the library adds nothing...
  316. https://github.com/curl/curl/issues/7268
  317. 1.32 add asynch getaddrinfo support
  318. Use getaddrinfo_a() to provide an asynch name resolver backend to libcurl
  319. that does not use threads and does not depend on c-ares. The getaddrinfo_a
  320. function is (probably?) glibc specific but that is a widely used libc among
  321. our users.
  322. https://github.com/curl/curl/pull/6746
  323. 2. libcurl - multi interface
  324. 2.1 More non-blocking
  325. Make sure we do not ever loop because of non-blocking sockets returning
  326. EWOULDBLOCK or similar. Blocking cases include:
  327. - Name resolves on non-windows unless c-ares or the threaded resolver is used.
  328. - The threaded resolver may block on cleanup:
  329. https://github.com/curl/curl/issues/4852
  330. - file:// transfers
  331. - TELNET transfers
  332. - GSSAPI authentication for FTP transfers
  333. - The "DONE" operation (post transfer protocol-specific actions) for the
  334. protocols SFTP, SMTP, FTP. Fixing multi_done() for this is a worthy task.
  335. - curl_multi_remove_handle for any of the above. See section 2.3.
  336. 2.2 Better support for same name resolves
  337. If a name resolve has been initiated for name NN and a second easy handle
  338. wants to resolve that name as well, make it wait for the first resolve to end
  339. up in the cache instead of doing a second separate resolve. This is
  340. especially needed when adding many simultaneous handles using the same host
  341. name when the DNS resolver can get flooded.
  342. 2.3 Non-blocking curl_multi_remove_handle()
  343. The multi interface has a few API calls that assume a blocking behavior, like
  344. add_handle() and remove_handle() which limits what we can do internally. The
  345. multi API need to be moved even more into a single function that "drives"
  346. everything in a non-blocking manner and signals when something is done. A
  347. remove or add would then only ask for the action to get started and then
  348. multi_perform() etc still be called until the add/remove is completed.
  349. 2.4 Split connect and authentication process
  350. The multi interface treats the authentication process as part of the connect
  351. phase. As such any failures during authentication will not trigger the relevant
  352. QUIT or LOGOFF for protocols such as IMAP, POP3 and SMTP.
  353. 2.5 Edge-triggered sockets should work
  354. The multi_socket API should work with edge-triggered socket events. One of
  355. the internal actions that need to be improved for this to work perfectly is
  356. the 'maxloops' handling in transfer.c:readwrite_data().
  357. 2.6 multi upkeep
  358. In libcurl 7.62.0 we introduced curl_easy_upkeep. It unfortunately only works
  359. on easy handles. We should introduces a version of that for the multi handle,
  360. and also consider doing "upkeep" automatically on connections in the
  361. connection pool when the multi handle is in used.
  362. See https://github.com/curl/curl/issues/3199
  363. 2.7 Virtual external sockets
  364. libcurl performs operations on the given file descriptor that presumes it is
  365. a socket and an application cannot replace them at the moment. Allowing an
  366. application to fully replace those would allow a larger degree of freedom and
  367. flexibility.
  368. See https://github.com/curl/curl/issues/5835
  369. 2.8 dynamically decide to use socketpair
  370. For users who do not use curl_multi_wait() or do not care for
  371. curl_multi_wakeup(), we could introduce a way to make libcurl NOT
  372. create a socketpair in the multi handle.
  373. See https://github.com/curl/curl/issues/4829
  374. 3. Documentation
  375. 3.1 Improve documentation about fork safety
  376. See https://github.com/curl/curl/issues/6968
  377. 3.2 Provide cmake config-file
  378. A config-file package is a set of files provided by us to allow applications
  379. to write cmake scripts to find and use libcurl easier. See
  380. https://github.com/curl/curl/issues/885
  381. 4. FTP
  382. 4.1 HOST
  383. HOST is a command for a client to tell which host name to use, to offer FTP
  384. servers named-based virtual hosting:
  385. https://datatracker.ietf.org/doc/html/rfc7151
  386. 4.2 Alter passive/active on failure and retry
  387. When trying to connect passively to a server which only supports active
  388. connections, libcurl returns CURLE_FTP_WEIRD_PASV_REPLY and closes the
  389. connection. There could be a way to fallback to an active connection (and
  390. vice versa). https://curl.se/bug/feature.cgi?id=1754793
  391. 4.3 Earlier bad letter detection
  392. Make the detection of (bad) %0d and %0a codes in FTP URL parts earlier in the
  393. process to avoid doing a resolve and connect in vain.
  394. 4.4 Support CURLOPT_PREQUOTE for dir listings too
  395. The lack of support is mostly an oversight and requires the FTP state machine
  396. to get updated to get fixed.
  397. https://github.com/curl/curl/issues/8602
  398. 4.5 ASCII support
  399. FTP ASCII transfers do not follow RFC959. They do not convert the data
  400. accordingly.
  401. 4.6 GSSAPI via Windows SSPI
  402. In addition to currently supporting the SASL GSSAPI mechanism (Kerberos V5)
  403. via third-party GSS-API libraries, such as Heimdal or MIT Kerberos, also add
  404. support for GSSAPI authentication via Windows SSPI.
  405. 4.7 STAT for LIST without data connection
  406. Some FTP servers allow STAT for listing directories instead of using LIST,
  407. and the response is then sent over the control connection instead of as the
  408. otherwise usedw data connection: https://www.nsftools.com/tips/RawFTP.htm#STAT
  409. This is not detailed in any FTP specification.
  410. 5. HTTP
  411. 5.1 Provide the error body from a CONNNECT response
  412. When curl receives a body response from a CONNECT request to a proxy, it will
  413. always just read and ignore it. It would make some users happy if curl
  414. instead optionally would be able to make that responsible available. Via a new
  415. callback? Through some other means?
  416. See https://github.com/curl/curl/issues/9513
  417. 5.2 Set custom client ip when using haproxy protocol
  418. This would allow testing servers with different client ip addresses (without
  419. using x-forward-for header).
  420. https://github.com/curl/curl/issues/5125
  421. 5.3 Rearrange request header order
  422. Server implementors often make an effort to detect browser and to reject
  423. clients it can detect to not match. One of the last details we cannot yet
  424. control in libcurl's HTTP requests, which also can be exploited to detect
  425. that libcurl is in fact used even when it tries to impersonate a browser, is
  426. the order of the request headers. I propose that we introduce a new option in
  427. which you give headers a value, and then when the HTTP request is built it
  428. sorts the headers based on that number. We could then have internally created
  429. headers use a default value so only headers that need to be moved have to be
  430. specified.
  431. 5.4 Allow SAN names in HTTP/2 server push
  432. curl only allows HTTP/2 push promise if the provided :authority header value
  433. exactly matches the host name given in the URL. It could be extended to allow
  434. any name that would match the Subject Alternative Names in the server's TLS
  435. certificate.
  436. See https://github.com/curl/curl/pull/3581
  437. 5.5 auth= in URLs
  438. Add the ability to specify the preferred authentication mechanism to use by
  439. using ;auth=<mech> in the login part of the URL.
  440. For example:
  441. http://test:pass;auth=NTLM@example.com would be equivalent to specifying
  442. --user test:pass;auth=NTLM or --user test:pass --ntlm from the command line.
  443. Additionally this should be implemented for proxy base URLs as well.
  444. 5.6 alt-svc should fallback if alt-svc does not work
  445. The alt-svc: header provides a set of alternative services for curl to use
  446. instead of the original. If the first attempted one fails, it should try the
  447. next etc and if all alternatives fail go back to the original.
  448. See https://github.com/curl/curl/issues/4908
  449. 5.7 Require HTTP version X or higher
  450. curl and libcurl provide options for trying higher HTTP versions (for example
  451. HTTP/2) but then still allows the server to pick version 1.1. We could
  452. consider adding a way to require a minimum version.
  453. See https://github.com/curl/curl/issues/7980
  454. 6. TELNET
  455. 6.1 ditch stdin
  456. Reading input (to send to the remote server) on stdin is a crappy solution
  457. for library purposes. We need to invent a good way for the application to be
  458. able to provide the data to send.
  459. 6.2 ditch telnet-specific select
  460. Move the telnet support's network select() loop go away and merge the code
  461. into the main transfer loop. Until this is done, the multi interface will not
  462. work for telnet.
  463. 6.3 feature negotiation debug data
  464. Add telnet feature negotiation data to the debug callback as header data.
  465. 6.4 exit immediately upon connection if stdin is /dev/null
  466. If it did, curl could be used to probe if there's an server there listening
  467. on a specific port. That is, the following command would exit immediately
  468. after the connection is established with exit code 0:
  469. curl -s --connect-timeout 2 telnet://example.com:80 </dev/null
  470. 7. SMTP
  471. 7.1 Passing NOTIFY option to CURLOPT_MAIL_RCPT
  472. Is there a way to pass the NOTIFY option to the CURLOPT_MAIL_RCPT option ? I
  473. set a string that already contains a bracket. For instance something like
  474. that: curl_slist_append( recipients, "<foo@bar> NOTIFY=SUCCESS,FAILURE" );
  475. https://github.com/curl/curl/issues/8232
  476. 7.2 Enhanced capability support
  477. Add the ability, for an application that uses libcurl, to obtain the list of
  478. capabilities returned from the EHLO command.
  479. 7.3 Add CURLOPT_MAIL_CLIENT option
  480. Rather than use the URL to specify the mail client string to present in the
  481. HELO and EHLO commands, libcurl should support a new CURLOPT specifically for
  482. specifying this data as the URL is non-standard and to be honest a bit of a
  483. hack ;-)
  484. Please see the following thread for more information:
  485. https://curl.se/mail/lib-2012-05/0178.html
  486. 8. POP3
  487. 8.2 Enhanced capability support
  488. Add the ability, for an application that uses libcurl, to obtain the list of
  489. capabilities returned from the CAPA command.
  490. 9. IMAP
  491. 9.1 Enhanced capability support
  492. Add the ability, for an application that uses libcurl, to obtain the list of
  493. capabilities returned from the CAPABILITY command.
  494. 10. LDAP
  495. 10.1 SASL based authentication mechanisms
  496. Currently the LDAP module only supports ldap_simple_bind_s() in order to bind
  497. to an LDAP server. However, this function sends username and password details
  498. using the simple authentication mechanism (as clear text). However, it should
  499. be possible to use ldap_bind_s() instead specifying the security context
  500. information ourselves.
  501. 10.2 CURLOPT_SSL_CTX_FUNCTION for LDAPS
  502. CURLOPT_SSL_CTX_FUNCTION works perfectly for HTTPS and email protocols, but
  503. it has no effect for LDAPS connections.
  504. https://github.com/curl/curl/issues/4108
  505. 10.3 Paged searches on LDAP server
  506. https://github.com/curl/curl/issues/4452
  507. 11. SMB
  508. 11.1 File listing support
  509. Add support for listing the contents of a SMB share. The output should
  510. probably be the same as/similar to FTP.
  511. 11.2 Honor file timestamps
  512. The timestamp of the transferred file should reflect that of the original
  513. file.
  514. 11.3 Use NTLMv2
  515. Currently the SMB authentication uses NTLMv1.
  516. 11.4 Create remote directories
  517. Support for creating remote directories when uploading a file to a directory
  518. that does not exist on the server, just like --ftp-create-dirs.
  519. 12. FILE
  520. 12.1 Directory listing for FILE:
  521. Add support for listing the contents of a directory accessed with FILE. The
  522. output should probably be the same as/similar to FTP.
  523. 13. TLS
  524. 13.1 TLS-PSK with OpenSSL
  525. Transport Layer Security pre-shared key ciphersuites (TLS-PSK) is a set of
  526. cryptographic protocols that provide secure communication based on pre-shared
  527. keys (PSKs). These pre-shared keys are symmetric keys shared in advance among
  528. the communicating parties.
  529. https://github.com/curl/curl/issues/5081
  530. 13.2 Provide mutex locking API
  531. Provide a libcurl API for setting mutex callbacks in the underlying SSL
  532. library, so that the same application code can use mutex-locking
  533. independently of OpenSSL or GnutTLS being used.
  534. 13.3 Defeat TLS fingerprinting
  535. By changing the order of TLS extensions provided in the TLS handshake, it is
  536. sometimes possible to circumvent TLS fingerprinting by servers. The TLS
  537. extension order is of course not the only way to fingerprint a client.
  538. See https://github.com/curl/curl/issues/8119
  539. 13.4 Cache/share OpenSSL contexts
  540. "Look at SSL cafile - quick traces look to me like these are done on every
  541. request as well, when they should only be necessary once per SSL context (or
  542. once per handle)". The major improvement we can rather easily do is to make
  543. sure we do not create and kill a new SSL "context" for every request, but
  544. instead make one for every connection and re-use that SSL context in the same
  545. style connections are re-used. It will make us use slightly more memory but
  546. it will libcurl do less creations and deletions of SSL contexts.
  547. Technically, the "caching" is probably best implemented by getting added to
  548. the share interface so that easy handles who want to and can reuse the
  549. context specify that by sharing with the right properties set.
  550. https://github.com/curl/curl/issues/1110
  551. 13.5 Export session ids
  552. Add an interface to libcurl that enables "session IDs" to get
  553. exported/imported. Cris Bailiff said: "OpenSSL has functions which can
  554. serialise the current SSL state to a buffer of your choice, and recover/reset
  555. the state from such a buffer at a later date - this is used by mod_ssl for
  556. apache to implement and SSL session ID cache".
  557. 13.6 Provide callback for cert verification
  558. OpenSSL supports a callback for customised verification of the peer
  559. certificate, but this does not seem to be exposed in the libcurl APIs. Could
  560. it be? There's so much that could be done if it were.
  561. 13.7 Less memory massaging with Schannel
  562. The Schannel backend does a lot of custom memory management we would rather
  563. avoid: the repeated alloc + free in sends and the custom memory + realloc
  564. system for encrypted and decrypted data. That should be avoided and reduced
  565. for 1) efficiency and 2) safety.
  566. 13.8 Support DANE
  567. DNS-Based Authentication of Named Entities (DANE) is a way to provide SSL
  568. keys and certs over DNS using DNSSEC as an alternative to the CA model.
  569. https://www.rfc-editor.org/rfc/rfc6698.txt
  570. An initial patch was posted by Suresh Krishnaswamy on March 7th 2013
  571. (https://curl.se/mail/lib-2013-03/0075.html) but it was a too simple
  572. approach. See Daniel's comments:
  573. https://curl.se/mail/lib-2013-03/0103.html . libunbound may be the
  574. correct library to base this development on.
  575. Björn Stenberg wrote a separate initial take on DANE that was never
  576. completed.
  577. 13.9 TLS record padding
  578. TLS (1.3) offers optional record padding and OpenSSL provides an API for it.
  579. I could make sense for libcurl to offer this ability to applications to make
  580. traffic patterns harder to figure out by network traffic observers.
  581. See https://github.com/curl/curl/issues/5398
  582. 13.10 Support Authority Information Access certificate extension (AIA)
  583. AIA can provide various things like CRLs but more importantly information
  584. about intermediate CA certificates that can allow validation path to be
  585. fulfilled when the HTTPS server does not itself provide them.
  586. Since AIA is about downloading certs on demand to complete a TLS handshake,
  587. it is probably a bit tricky to get done right.
  588. See https://github.com/curl/curl/issues/2793
  589. 13.11 Support intermediate & root pinning for PINNEDPUBLICKEY
  590. CURLOPT_PINNEDPUBLICKEY does not consider the hashes of intermediate & root
  591. certificates when comparing the pinned keys. Therefore it is not compatible
  592. with "HTTP Public Key Pinning" as there also intermediate and root
  593. certificates can be pinned. This is useful as it prevents webadmins from
  594. "locking themselves out of their servers".
  595. Adding this feature would make curls pinning 100% compatible to HPKP and
  596. allow more flexible pinning.
  597. 13.12 Reduce CA certificate bundle reparsing
  598. When using the OpenSSL backend, curl will load and reparse the CA bundle at
  599. the creation of the "SSL context" when it sets up a connection to do a TLS
  600. handshake. A more effective way would be to somehow cache the CA bundle to
  601. avoid it having to be repeatedly reloaded and reparsed.
  602. See https://github.com/curl/curl/issues/9379
  603. 13.13 Make sure we forbid TLS 1.3 post-handshake authentication
  604. RFC 8740 explains how using HTTP/2 must forbid the use of TLS 1.3
  605. post-handshake authentication. We should make sure to live up to that.
  606. See https://github.com/curl/curl/issues/5396
  607. 13.14 Support the clienthello extension
  608. Certain stupid networks and middle boxes have a problem with SSL handshake
  609. packets that are within a certain size range because how that sets some bits
  610. that previously (in older TLS version) were not set. The clienthello
  611. extension adds padding to avoid that size range.
  612. https://datatracker.ietf.org/doc/html/rfc7685
  613. https://github.com/curl/curl/issues/2299
  614. 14. GnuTLS
  615. 14.2 check connection
  616. Add a way to check if the connection seems to be alive, to correspond to the
  617. SSL_peak() way we use with OpenSSL.
  618. 15. Schannel
  619. 15.1 Extend support for client certificate authentication
  620. The existing support for the -E/--cert and --key options could be
  621. extended by supplying a custom certificate and key in PEM format, see:
  622. - Getting a Certificate for Schannel
  623. https://msdn.microsoft.com/en-us/library/windows/desktop/aa375447.aspx
  624. 15.2 Extend support for the --ciphers option
  625. The existing support for the --ciphers option could be extended
  626. by mapping the OpenSSL/GnuTLS cipher suites to the Schannel APIs, see
  627. - Specifying Schannel Ciphers and Cipher Strengths
  628. https://msdn.microsoft.com/en-us/library/windows/desktop/aa380161.aspx
  629. 15.4 Add option to allow abrupt server closure
  630. libcurl w/schannel will error without a known termination point from the
  631. server (such as length of transfer, or SSL "close notify" alert) to prevent
  632. against a truncation attack. Really old servers may neglect to send any
  633. termination point. An option could be added to ignore such abrupt closures.
  634. https://github.com/curl/curl/issues/4427
  635. 16. SASL
  636. 16.1 Other authentication mechanisms
  637. Add support for other authentication mechanisms such as OLP,
  638. GSS-SPNEGO and others.
  639. 16.2 Add QOP support to GSSAPI authentication
  640. Currently the GSSAPI authentication only supports the default QOP of auth
  641. (Authentication), whilst Kerberos V5 supports both auth-int (Authentication
  642. with integrity protection) and auth-conf (Authentication with integrity and
  643. privacy protection).
  644. 17. SSH protocols
  645. 17.1 Multiplexing
  646. SSH is a perfectly fine multiplexed protocols which would allow libcurl to do
  647. multiple parallel transfers from the same host using the same connection,
  648. much in the same spirit as HTTP/2 does. libcurl however does not take
  649. advantage of that ability but will instead always create a new connection for
  650. new transfers even if an existing connection already exists to the host.
  651. To fix this, libcurl would have to detect an existing connection and "attach"
  652. the new transfer to the existing one.
  653. 17.2 Handle growing SFTP files
  654. The SFTP code in libcurl checks the file size *before* a transfer starts and
  655. then proceeds to transfer exactly that amount of data. If the remote file
  656. grows while the transfer is in progress libcurl will not notice and will not
  657. adapt. The OpenSSH SFTP command line tool does and libcurl could also just
  658. attempt to download more to see if there is more to get...
  659. https://github.com/curl/curl/issues/4344
  660. 17.3 Read keys from ~/.ssh/id_ecdsa, id_ed25519
  661. The libssh2 backend in curl is limited to only reading keys from id_rsa and
  662. id_dsa, which makes it fail connecting to servers that use more modern key
  663. types.
  664. https://github.com/curl/curl/issues/8586
  665. 17.4 Support CURLOPT_PREQUOTE
  666. The two other QUOTE options are supported for SFTP, but this was left out for
  667. unknown reasons.
  668. 17.5 SSH over HTTPS proxy with more backends
  669. The SSH based protocols SFTP and SCP did not work over HTTPS proxy at
  670. all until PR https://github.com/curl/curl/pull/6021 brought the
  671. functionality with the libssh2 backend. Presumably, this support
  672. can/could be added for the other backends as well.
  673. 17.6 SFTP with SCP://
  674. OpenSSH 9 switched their 'scp' tool to speak SFTP under the hood. Going
  675. forward it might be worth having curl or libcurl attempt SFTP if SCP fails to
  676. follow suite.
  677. 18. Command line tool
  678. 18.1 sync
  679. "curl --sync http://example.com/feed[1-100].rss" or
  680. "curl --sync http://example.net/{index,calendar,history}.html"
  681. Downloads a range or set of URLs using the remote name, but only if the
  682. remote file is newer than the local file. A Last-Modified HTTP date header
  683. should also be used to set the mod date on the downloaded file.
  684. 18.2 glob posts
  685. Globbing support for -d and -F, as in 'curl -d "name=foo[0-9]" URL'.
  686. This is easily scripted though.
  687. 18.4 --proxycommand
  688. Allow the user to make curl run a command and use its stdio to make requests
  689. and not do any network connection by itself. Example:
  690. curl --proxycommand 'ssh pi@raspberrypi.local -W 10.1.1.75 80' \
  691. http://some/otherwise/unavailable/service.php
  692. See https://github.com/curl/curl/issues/4941
  693. 18.5 UTF-8 filenames in Content-Disposition
  694. RFC 6266 documents how UTF-8 names can be passed to a client in the
  695. Content-Disposition header, and curl does not support this.
  696. https://github.com/curl/curl/issues/1888
  697. 18.6 Option to make -Z merge lined based outputs on stdout
  698. When a user requests multiple lined based files using -Z and sends them to
  699. stdout, curl will not "merge" and send complete lines fine but may send
  700. partial lines from several sources.
  701. https://github.com/curl/curl/issues/5175
  702. 18.8 Consider convenience options for JSON and XML?
  703. Could we add `--xml` or `--json` to add headers needed to call rest API:
  704. `--xml` adds -H 'Content-Type: application/xml' -H "Accept: application/xml" and
  705. `--json` adds -H 'Content-Type: application/json' -H "Accept: application/json"
  706. Setting Content-Type when doing a GET or any other method without a body
  707. would be a bit strange I think - so maybe only add CT for requests with body?
  708. Maybe plain `--xml` and ` --json` are a bit too brief and generic. Maybe
  709. `--http-json` etc?
  710. See https://github.com/curl/curl/issues/5203
  711. 18.9 Choose the name of file in braces for complex URLs
  712. When using braces to download a list of URLs and you use complicated names
  713. in the list of alternatives, it could be handy to allow curl to use other
  714. names when saving.
  715. Consider a way to offer that. Possibly like
  716. {partURL1:name1,partURL2:name2,partURL3:name3} where the name following the
  717. colon is the output name.
  718. See https://github.com/curl/curl/issues/221
  719. 18.10 improve how curl works in a windows console window
  720. If you pull the scrollbar when transferring with curl in a Windows console
  721. window, the transfer is interrupted and can get disconnected. This can
  722. probably be improved. See https://github.com/curl/curl/issues/322
  723. 18.11 Windows: set attribute 'archive' for completed downloads
  724. The archive bit (FILE_ATTRIBUTE_ARCHIVE, 0x20) separates files that shall be
  725. backed up from those that are either not ready or have not changed.
  726. Downloads in progress are neither ready to be backed up, nor should they be
  727. opened by a different process. Only after a download has been completed it's
  728. sensible to include it in any integer snapshot or backup of the system.
  729. See https://github.com/curl/curl/issues/3354
  730. 18.12 keep running, read instructions from pipe/socket
  731. Provide an option that makes curl not exit after the last URL (or even work
  732. without a given URL), and then make it read instructions passed on a pipe or
  733. over a socket to make further instructions so that a second subsequent curl
  734. invoke can talk to the still running instance and ask for transfers to get
  735. done, and thus maintain its connection pool, DNS cache and more.
  736. 18.13 Ratelimit or wait between serial requests
  737. Consider a command line option that can make curl do multiple serial requests
  738. slow, potentially with a (random) wait between transfers. There's also a
  739. proposed set of standard HTTP headers to let servers let the client adapt to
  740. its rate limits:
  741. https://www.ietf.org/id/draft-polli-ratelimit-headers-02.html
  742. See https://github.com/curl/curl/issues/5406
  743. 18.14 --dry-run
  744. A command line option that makes curl show exactly what it would do and send
  745. if it would run for real.
  746. See https://github.com/curl/curl/issues/5426
  747. 18.15 --retry should resume
  748. When --retry is used and curl actually retries transfer, it should use the
  749. already transferred data and do a resumed transfer for the rest (when
  750. possible) so that it does not have to transfer the same data again that was
  751. already transferred before the retry.
  752. See https://github.com/curl/curl/issues/1084
  753. 18.16 send only part of --data
  754. When the user only wants to send a small piece of the data provided with
  755. --data or --data-binary, like when that data is a huge file, consider a way
  756. to specify that curl should only send a piece of that. One suggested syntax
  757. would be: "--data-binary @largefile.zip!1073741823-2147483647".
  758. See https://github.com/curl/curl/issues/1200
  759. 18.17 consider file name from the redirected URL with -O ?
  760. When a user gives a URL and uses -O, and curl follows a redirect to a new
  761. URL, the file name is not extracted and used from the newly redirected-to URL
  762. even if the new URL may have a much more sensible file name.
  763. This is clearly documented and helps for security since there's no surprise
  764. to users which file name that might get overwritten. But maybe a new option
  765. could allow for this or maybe -J should imply such a treatment as well as -J
  766. already allows for the server to decide what file name to use so it already
  767. provides the "may overwrite any file" risk.
  768. This is extra tricky if the original URL has no file name part at all since
  769. then the current code path will error out with an error message, and we cannot
  770. *know* already at that point if curl will be redirected to a URL that has a
  771. file name...
  772. See https://github.com/curl/curl/issues/1241
  773. 18.18 retry on network is unreachable
  774. The --retry option retries transfers on "transient failures". We later added
  775. --retry-connrefused to also retry for "connection refused" errors.
  776. Suggestions have been brought to also allow retry on "network is unreachable"
  777. errors and while totally reasonable, maybe we should consider a way to make
  778. this more configurable than to add a new option for every new error people
  779. want to retry for?
  780. https://github.com/curl/curl/issues/1603
  781. 18.19 expand ~/ in config files
  782. For example .curlrc could benefit from being able to do this.
  783. See https://github.com/curl/curl/issues/2317
  784. 18.20 host name sections in config files
  785. config files would be more powerful if they could set different
  786. configurations depending on used URLs, host name or possibly origin. Then a
  787. default .curlrc could a specific user-agent only when doing requests against
  788. a certain site.
  789. 18.21 retry on the redirected-to URL
  790. When curl is told to --retry a failed transfer and follows redirects, it
  791. might get an HTTP 429 response from the redirected-to URL and not the
  792. original one, which then could make curl decide to rather retry the transfer
  793. on that URL only instead of the original operation to the original URL.
  794. Perhaps extra emphasized if the original transfer is a large POST that
  795. redirects to a separate GET, and that GET is what gets the 529
  796. See https://github.com/curl/curl/issues/5462
  797. 18.23 Set the modification date on an uploaded file
  798. For SFTP and possibly FTP, curl could offer an option to set the
  799. modification time for the uploaded file.
  800. See https://github.com/curl/curl/issues/5768
  801. 18.24 Use multiple parallel transfers for a single download
  802. To enhance transfer speed, downloading a single URL can be split up into
  803. multiple separate range downloads that get combined into a single final
  804. result.
  805. An ideal implementation would not use a specified number of parallel
  806. transfers, but curl could:
  807. - First start getting the full file as transfer A
  808. - If after N seconds have passed and the transfer is expected to continue for
  809. M seconds or more, add a new transfer (B) that asks for the second half of
  810. A's content (and stop A at the middle).
  811. - If splitting up the work improves the transfer rate, it could then be done
  812. again. Then again, etc up to a limit.
  813. This way, if transfer B fails (because Range: is not supported) it will let
  814. transfer A remain the single one. N and M could be set to some sensible
  815. defaults.
  816. See https://github.com/curl/curl/issues/5774
  817. 18.25 Prevent terminal injection when writing to terminal
  818. curl could offer an option to make escape sequence either non-functional or
  819. avoid cursor moves or similar to reduce the risk of a user getting tricked by
  820. clever tricks.
  821. See https://github.com/curl/curl/issues/6150
  822. 18.26 Custom progress meter update interval
  823. Users who are for example doing large downloads in CI or remote setups might
  824. want the occasional progress meter update to see that the transfer is
  825. progressing and has not stuck, but they may not appreciate the
  826. many-times-a-second frequency curl can end up doing it with now.
  827. 19. Build
  828. 19.1 roffit
  829. Consider extending 'roffit' to produce decent ASCII output, and use that
  830. instead of (g)nroff when building src/tool_hugehelp.c
  831. 19.2 Enable PIE and RELRO by default
  832. Especially when having programs that execute curl via the command line, PIE
  833. renders the exploitation of memory corruption vulnerabilities a lot more
  834. difficult. This can be attributed to the additional information leaks being
  835. required to conduct a successful attack. RELRO, on the other hand, masks
  836. different binary sections like the GOT as read-only and thus kills a handful
  837. of techniques that come in handy when attackers are able to arbitrarily
  838. overwrite memory. A few tests showed that enabling these features had close
  839. to no impact, neither on the performance nor on the general functionality of
  840. curl.
  841. 19.3 Do not use GNU libtool on OpenBSD
  842. When compiling curl on OpenBSD with "--enable-debug" it will give linking
  843. errors when you use GNU libtool. This can be fixed by using the libtool
  844. provided by OpenBSD itself. However for this the user always needs to invoke
  845. make with "LIBTOOL=/usr/bin/libtool". It would be nice if the script could
  846. have some magic to detect if this system is an OpenBSD host and then use the
  847. OpenBSD libtool instead.
  848. See https://github.com/curl/curl/issues/5862
  849. 19.4 Package curl for Windows in a signed installer
  850. See https://github.com/curl/curl/issues/5424
  851. 19.5 make configure use --cache-file more and better
  852. The configure script can be improved to cache more values so that repeated
  853. invokes run much faster.
  854. See https://github.com/curl/curl/issues/7753
  855. 20. Test suite
  856. 20.1 SSL tunnel
  857. Make our own version of stunnel for simple port forwarding to enable HTTPS
  858. and FTP-SSL tests without the stunnel dependency, and it could allow us to
  859. provide test tools built with either OpenSSL or GnuTLS
  860. 20.2 nicer lacking perl message
  861. If perl was not found by the configure script, do not attempt to run the tests
  862. but explain something nice why it does not.
  863. 20.3 more protocols supported
  864. Extend the test suite to include more protocols. The telnet could just do FTP
  865. or http operations (for which we have test servers).
  866. 20.4 more platforms supported
  867. Make the test suite work on more platforms. OpenBSD and Mac OS. Remove
  868. fork()s and it should become even more portable.
  869. 20.5 Add support for concurrent connections
  870. Tests 836, 882 and 938 were designed to verify that separate connections
  871. are not used when using different login credentials in protocols that
  872. should not re-use a connection under such circumstances.
  873. Unfortunately, ftpserver.pl does not appear to support multiple concurrent
  874. connections. The read while() loop seems to loop until it receives a
  875. disconnect from the client, where it then enters the waiting for connections
  876. loop. When the client opens a second connection to the server, the first
  877. connection has not been dropped (unless it has been forced - which we
  878. should not do in these tests) and thus the wait for connections loop is never
  879. entered to receive the second connection.
  880. 20.6 Use the RFC6265 test suite
  881. A test suite made for HTTP cookies (RFC 6265) by Adam Barth is available at
  882. https://github.com/abarth/http-state/tree/master/tests
  883. It'd be really awesome if someone would write a script/setup that would run
  884. curl with that test suite and detect deviances. Ideally, that would even be
  885. incorporated into our regular test suite.
  886. 20.7 Support LD_PRELOAD on macOS
  887. LD_RELOAD does not work on macOS, but there are tests which require it to run
  888. properly. Look into making the preload support in runtests.pl portable such
  889. that it uses DYLD_INSERT_LIBRARIES on macOS.
  890. 20.8 Run web-platform-tests URL tests
  891. Run web-platform-tests URL tests and compare results with browsers on wpt.fyi
  892. It would help us find issues to fix and help us document where our parser
  893. differs from the WHATWG URL spec parsers.
  894. See https://github.com/curl/curl/issues/4477
  895. 21. MQTT
  896. 21.1 Support rate-limiting
  897. The rate-limiting logic is done in the PERFORMING state in multi.c but MQTT
  898. is not (yet) implemented to use that.