TODO 49 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381
  1. _ _ ____ _
  2. ___| | | | _ \| |
  3. / __| | | | |_) | |
  4. | (__| |_| | _ <| |___
  5. \___|\___/|_| \_\_____|
  6. Things that could be nice to do in the future
  7. Things to do in project curl. Please tell us what you think, contribute and
  8. send us patches that improve things.
  9. Be aware that these are things that we could do, or have once been considered
  10. things we could do. If you want to work on any of these areas, please
  11. consider bringing it up for discussions first on the mailing list so that we
  12. all agree it is still a good idea for the project.
  13. All bugs documented in the KNOWN_BUGS document are subject for fixing.
  14. 1. libcurl
  15. 1.1 TFO support on Windows
  16. 1.2 Consult %APPDATA% also for .netrc
  17. 1.3 struct lifreq
  18. 1.4 alt-svc sharing
  19. 1.5 get rid of PATH_MAX
  20. 1.6 thread-safe sharing
  21. 1.8 CURLOPT_RESOLVE for any port number
  22. 1.9 Cache negative name resolves
  23. 1.10 auto-detect proxy
  24. 1.11 minimize dependencies with dynamically loaded modules
  25. 1.12 updated DNS server while running
  26. 1.13 c-ares and CURLOPT_OPENSOCKETFUNCTION
  27. 1.14 connect to multiple IPs in parallel
  28. 1.15 Monitor connections in the connection pool
  29. 1.16 Try to URL encode given URL
  30. 1.17 Add support for IRIs
  31. 1.18 try next proxy if one does not work
  32. 1.19 provide timing info for each redirect
  33. 1.20 SRV and URI DNS records
  34. 1.21 netrc caching and sharing
  35. 1.22 CURLINFO_PAUSE_STATE
  36. 1.23 Offer API to flush the connection pool
  37. 1.25 Expose tried IP addresses that failed
  38. 1.28 FD_CLOEXEC
  39. 1.29 WebSocket read callback
  40. 1.30 config file parsing
  41. 1.31 erase secrets from heap/stack after use
  42. 1.32 add asynch getaddrinfo support
  43. 1.33 make DoH inherit more transfer properties
  44. 2. libcurl - multi interface
  45. 2.1 More non-blocking
  46. 2.2 Better support for same name resolves
  47. 2.3 Non-blocking curl_multi_remove_handle()
  48. 2.4 Split connect and authentication process
  49. 2.5 Edge-triggered sockets should work
  50. 2.6 multi upkeep
  51. 2.7 Virtual external sockets
  52. 2.8 dynamically decide to use socketpair
  53. 3. Documentation
  54. 3.1 Improve documentation about fork safety
  55. 4. FTP
  56. 4.1 HOST
  57. 4.4 Support CURLOPT_PREQUOTE for directories listings
  58. 4.6 GSSAPI via Windows SSPI
  59. 4.7 STAT for LIST without data connection
  60. 4.8 Passive transfer could try other IP addresses
  61. 5. HTTP
  62. 5.1 Provide the error body from a CONNECT response
  63. 5.2 Obey Retry-After in redirects
  64. 5.3 Rearrange request header order
  65. 5.4 Allow SAN names in HTTP/2 server push
  66. 5.5 auth= in URLs
  67. 5.6 alt-svc should fallback if alt-svc does not work
  68. 5.7 Require HTTP version X or higher
  69. 6. TELNET
  70. 6.1 ditch stdin
  71. 6.2 ditch telnet-specific select
  72. 6.3 feature negotiation debug data
  73. 6.4 exit immediately upon connection if stdin is /dev/null
  74. 7. SMTP
  75. 7.1 Passing NOTIFY option to CURLOPT_MAIL_RCPT
  76. 7.2 Enhanced capability support
  77. 7.3 Add CURLOPT_MAIL_CLIENT option
  78. 8. POP3
  79. 8.2 Enhanced capability support
  80. 9. IMAP
  81. 9.1 Enhanced capability support
  82. 9.2 upload unread
  83. 10. LDAP
  84. 10.1 SASL based authentication mechanisms
  85. 10.2 CURLOPT_SSL_CTX_FUNCTION for LDAPS
  86. 10.3 Paged searches on LDAP server
  87. 10.4 Certificate-Based Authentication
  88. 11. SMB
  89. 11.1 File listing support
  90. 11.2 Honor file timestamps
  91. 11.3 Use NTLMv2
  92. 11.4 Create remote directories
  93. 12. FILE
  94. 12.1 Directory listing on non-POSIX
  95. 13. TLS
  96. 13.1 TLS-PSK with OpenSSL
  97. 13.2 TLS channel binding
  98. 13.3 Defeat TLS fingerprinting
  99. 13.4 Consider OCSP stapling by default
  100. 13.5 Export session ids
  101. 13.6 Provide callback for cert verification
  102. 13.7 Less memory massaging with Schannel
  103. 13.8 Support DANE
  104. 13.9 TLS record padding
  105. 13.10 Support Authority Information Access certificate extension (AIA)
  106. 13.11 Some TLS options are not offered for HTTPS proxies
  107. 13.13 Make sure we forbid TLS 1.3 post-handshake authentication
  108. 13.14 Support the clienthello extension
  109. 13.15 Select signature algorithms
  110. 13.16 Share the CA cache
  111. 13.17 Add missing features to TLS backends
  112. 15. Schannel
  113. 15.1 Extend support for client certificate authentication
  114. 15.2 Extend support for the --ciphers option
  115. 15.4 Add option to allow abrupt server closure
  116. 16. SASL
  117. 16.1 Other authentication mechanisms
  118. 16.2 Add QOP support to GSSAPI authentication
  119. 17. SSH protocols
  120. 17.1 Multiplexing
  121. 17.2 Handle growing SFTP files
  122. 17.3 Read keys from ~/.ssh/id_ecdsa, id_ed25519
  123. 17.4 Support CURLOPT_PREQUOTE
  124. 17.5 SSH over HTTPS proxy with more backends
  125. 17.6 SFTP with SCP://
  126. 18. Command line tool
  127. 18.1 sync
  128. 18.2 glob posts
  129. 18.4 --proxycommand
  130. 18.5 UTF-8 filenames in Content-Disposition
  131. 18.6 Option to make -Z merge lined based outputs on stdout
  132. 18.7 specify which response codes that make -f/--fail return error
  133. 18.9 Choose the name of file in braces for complex URLs
  134. 18.10 improve how curl works in a Windows console window
  135. 18.11 Windows: set attribute 'archive' for completed downloads
  136. 18.12 keep running, read instructions from pipe/socket
  137. 18.13 Acknowledge Ratelimit headers
  138. 18.14 --dry-run
  139. 18.15 --retry should resume
  140. 18.16 send only part of --data
  141. 18.17 consider filename from the redirected URL with -O ?
  142. 18.18 retry on network is unreachable
  143. 18.19 expand ~/ in config files
  144. 18.20 hostname sections in config files
  145. 18.21 retry on the redirected-to URL
  146. 18.23 Set the modification date on an uploaded file
  147. 18.24 Use multiple parallel transfers for a single download
  148. 18.25 Prevent terminal injection when writing to terminal
  149. 18.26 Custom progress meter update interval
  150. 18.27 -J and -O with %-encoded filenames
  151. 18.28 -J with -C -
  152. 18.29 --retry and transfer timeouts
  153. 19. Build
  154. 19.2 Enable PIE and RELRO by default
  155. 19.3 Do not use GNU libtool on OpenBSD
  156. 19.4 Package curl for Windows in a signed installer
  157. 19.5 make configure use --cache-file more and better
  158. 20. Test suite
  159. 20.1 SSL tunnel
  160. 20.2 nicer lacking perl message
  161. 20.3 more protocols supported
  162. 20.4 more platforms supported
  163. 20.6 Use the RFC 6265 test suite
  164. 20.8 Run web-platform-tests URL tests
  165. 21. MQTT
  166. 21.1 Support rate-limiting
  167. 21.2 Support MQTTS
  168. 21.3 Handle network blocks
  169. 22. TFTP
  170. 22.1 TFTP does not convert LF to CRLF for mode=netascii
  171. 23. Gopher
  172. 23.1 Handle network blocks
  173. ==============================================================================
  174. 1. libcurl
  175. 1.1 TFO support on Windows
  176. libcurl supports the CURLOPT_TCP_FASTOPEN option since 7.49.0 for Linux and
  177. macOS. Windows supports TCP Fast Open starting with Windows 10, version 1607
  178. and we should add support for it.
  179. TCP Fast Open is supported on several platforms but not on Windows. Work on
  180. this was once started but never finished.
  181. See https://github.com/curl/curl/pull/3378
  182. 1.2 Consult %APPDATA% also for .netrc
  183. %APPDATA%\.netrc is not considered when running on Windows. should not it?
  184. See https://github.com/curl/curl/issues/4016
  185. 1.3 struct lifreq
  186. Use 'struct lifreq' and SIOCGLIFADDR instead of 'struct ifreq' and
  187. SIOCGIFADDR on newer Solaris versions as they claim the latter is obsolete.
  188. To support IPv6 interface addresses for network interfaces properly.
  189. 1.4 alt-svc sharing
  190. The share interface could benefit from allowing the alt-svc cache to be
  191. possible to share between easy handles.
  192. See https://github.com/curl/curl/issues/4476
  193. The share interface offers CURL_LOCK_DATA_CONNECT to have multiple easy
  194. handle share a connection cache, but due to how connections are used they are
  195. still not thread-safe when used shared.
  196. See https://github.com/curl/curl/issues/4915 and lib1541.c
  197. The share interface offers CURL_LOCK_DATA_HSTS to have multiple easy handle
  198. share a HSTS cache, but this is not thread-safe.
  199. 1.5 get rid of PATH_MAX
  200. Having code use and rely on PATH_MAX is not nice:
  201. https://insanecoding.blogspot.com/2007/11/pathmax-simply-isnt.html
  202. Currently the libssh2 SSH based code uses it, but to remove PATH_MAX from
  203. there we need libssh2 to properly tell us when we pass in a too small buffer
  204. and its current API (as of libssh2 1.2.7) does not.
  205. 1.6 thread-safe sharing
  206. Using the share interface users can share some data between easy handles but
  207. several of the sharing options are documented as not safe and supported to
  208. share between multiple concurrent threads. Fixing this would enable more
  209. users to share data in more powerful ways.
  210. 1.8 CURLOPT_RESOLVE for any port number
  211. This option allows applications to set a replacement IP address for a given
  212. host + port pair. Consider making support for providing a replacement address
  213. for the hostname on all port numbers.
  214. See https://github.com/curl/curl/issues/1264
  215. 1.9 Cache negative name resolves
  216. A name resolve that has failed is likely to fail when made again within a
  217. short period of time. Currently we only cache positive responses.
  218. 1.10 auto-detect proxy
  219. libcurl could be made to detect the system proxy setup automatically and use
  220. that. On Windows, macOS and Linux desktops for example.
  221. The pull-request to use libproxy for this was deferred due to doubts on the
  222. reliability of the dependency and how to use it:
  223. https://github.com/curl/curl/pull/977
  224. libdetectproxy is a (C++) library for detecting the proxy on Windows
  225. https://github.com/paulharris/libdetectproxy
  226. 1.11 minimize dependencies with dynamically loaded modules
  227. We can create a system with loadable modules/plug-ins, where these modules
  228. would be the ones that link to 3rd party libs. That would allow us to avoid
  229. having to load ALL dependencies since only the necessary ones for this
  230. app/invoke/used protocols would be necessary to load. See
  231. https://github.com/curl/curl/issues/349
  232. 1.12 updated DNS server while running
  233. If /etc/resolv.conf gets updated while a program using libcurl is running, it
  234. is may cause name resolves to fail unless res_init() is called. We should
  235. consider calling res_init() + retry once unconditionally on all name resolve
  236. failures to mitigate against this. Firefox works like that. Note that Windows
  237. does not have res_init() or an alternative.
  238. https://github.com/curl/curl/issues/2251
  239. 1.13 c-ares and CURLOPT_OPENSOCKETFUNCTION
  240. curl creates most sockets via the CURLOPT_OPENSOCKETFUNCTION callback and
  241. close them with the CURLOPT_CLOSESOCKETFUNCTION callback. However, c-ares
  242. does not use those functions and instead opens and closes the sockets itself.
  243. This means that when curl passes the c-ares socket to the
  244. CURLMOPT_SOCKETFUNCTION it is not owned by the application like other
  245. sockets.
  246. See https://github.com/curl/curl/issues/2734
  247. 1.14 connect to multiple IPs in parallel
  248. curl currently implements the happy eyeball algorithm for connecting to the
  249. IPv4 and IPv6 alternatives for a host in parallel, sticking with the
  250. connection that "wins". We could implement a similar algorithm per individual
  251. IP family as well when there are multiple available addresses: start with the
  252. first address, then start a second attempt N milliseconds after and then a
  253. third another N milliseconds later. That way there would be less waiting when
  254. the first IP has problems. It also improves the connection timeout value
  255. handling for multiple address situations.
  256. 1.15 Monitor connections in the connection pool
  257. libcurl's connection cache or pool holds a number of open connections for the
  258. purpose of possible subsequent connection reuse. It may contain a few up to a
  259. significant amount of connections. Currently, libcurl leaves all connections
  260. as they are and first when a connection is iterated over for matching or
  261. reuse purpose it is verified that it is still alive.
  262. Those connections may get closed by the server side for idleness or they may
  263. get an HTTP/2 ping from the peer to verify that they are still alive. By
  264. adding monitoring of the connections while in the pool, libcurl can detect
  265. dead connections (and close them) better and earlier, and it can handle
  266. HTTP/2 pings to keep such ones alive even when not actively doing transfers
  267. on them.
  268. 1.16 Try to URL encode given URL
  269. Given a URL that for example contains spaces, libcurl could have an option
  270. that would try somewhat harder than it does now and convert spaces to %20 and
  271. perhaps URL encoded byte values over 128 etc (basically do what the redirect
  272. following code already does).
  273. https://github.com/curl/curl/issues/514
  274. 1.17 Add support for IRIs
  275. IRIs (RFC 3987) allow localized, non-ASCII, names in the URL. To properly
  276. support this, curl/libcurl would need to translate/encode the given input
  277. from the input string encoding into percent encoded output "over the wire".
  278. To make that work smoothly for curl users even on Windows, curl would
  279. probably need to be able to convert from several input encodings.
  280. 1.18 try next proxy if one does not work
  281. Allow an application to specify a list of proxies to try, and failing to
  282. connect to the first go on and try the next instead until the list is
  283. exhausted. Browsers support this feature at least when they specify proxies
  284. using PACs.
  285. https://github.com/curl/curl/issues/896
  286. 1.19 provide timing info for each redirect
  287. curl and libcurl provide timing information via a set of different
  288. time-stamps (CURLINFO_*_TIME). When curl is following redirects, those
  289. returned time value are the accumulated sums. An improvement could be to
  290. offer separate timings for each redirect.
  291. https://github.com/curl/curl/issues/6743
  292. 1.20 SRV and URI DNS records
  293. Offer support for resolving SRV and URI DNS records for libcurl to know which
  294. server to connect to for various protocols (including HTTP).
  295. 1.21 netrc caching and sharing
  296. The netrc file is read and parsed each time a connection is setup, which
  297. means that if a transfer needs multiple connections for authentication or
  298. redirects, the file might be reread (and parsed) multiple times. This makes
  299. it impossible to provide the file as a pipe.
  300. 1.22 CURLINFO_PAUSE_STATE
  301. Return information about the transfer's current pause state, in both
  302. directions. https://github.com/curl/curl/issues/2588
  303. 1.23 Offer API to flush the connection pool
  304. Sometimes applications want to flush all the existing connections kept alive.
  305. An API could allow a forced flush or just a forced loop that would properly
  306. close all connections that have been closed by the server already.
  307. 1.25 Expose tried IP addresses that failed
  308. When libcurl fails to connect to a host, it could offer the application the
  309. addresses that were used in the attempt. Source + dest IP, source + dest port
  310. and protocol (UDP or TCP) for each failure. Possibly as a callback. Perhaps
  311. also provide "reason".
  312. https://github.com/curl/curl/issues/2126
  313. 1.28 FD_CLOEXEC
  314. It sets the close-on-exec flag for the file descriptor, which causes the file
  315. descriptor to be automatically (and atomically) closed when any of the
  316. exec-family functions succeed. Should probably be set by default?
  317. https://github.com/curl/curl/issues/2252
  318. 1.29 WebSocket read callback
  319. Call the read callback once the connection is established to allow sending
  320. the first message in the connection.
  321. https://github.com/curl/curl/issues/11402
  322. 1.30 config file parsing
  323. Consider providing an API, possibly in a separate companion library, for
  324. parsing a config file like curl's -K/--config option to allow applications to
  325. get the same ability to read curl options from files.
  326. See https://github.com/curl/curl/issues/3698
  327. 1.31 erase secrets from heap/stack after use
  328. Introducing a concept and system to erase secrets from memory after use, it
  329. could help mitigate and lessen the impact of (future) security problems etc.
  330. However: most secrets are passed to libcurl as clear text from the
  331. application and then clearing them within the library adds nothing...
  332. https://github.com/curl/curl/issues/7268
  333. 1.32 add asynch getaddrinfo support
  334. Use getaddrinfo_a() to provide an asynch name resolver backend to libcurl
  335. that does not use threads and does not depend on c-ares. The getaddrinfo_a
  336. function is (probably?) glibc specific but that is a widely used libc among
  337. our users.
  338. https://github.com/curl/curl/pull/6746
  339. 1.33 make DoH inherit more transfer properties
  340. Some options are not inherited because they are not relevant for the DoH SSL
  341. connections, or inheriting the option may result in unexpected behavior. For
  342. example the user's debug function callback is not inherited because it would
  343. be unexpected for internal handles (ie DoH handles) to be passed to that
  344. callback.
  345. If an option is not inherited then it is not possible to set it separately
  346. for DoH without a DoH-specific option. For example:
  347. CURLOPT_DOH_SSL_VERIFYHOST, CURLOPT_DOH_SSL_VERIFYPEER and
  348. CURLOPT_DOH_SSL_VERIFYSTATUS.
  349. See https://github.com/curl/curl/issues/6605
  350. 2. libcurl - multi interface
  351. 2.1 More non-blocking
  352. Make sure we do not ever loop because of non-blocking sockets returning
  353. EWOULDBLOCK or similar. Blocking cases include:
  354. - Name resolves on non-Windows unless c-ares or the threaded resolver is used.
  355. - The threaded resolver may block on cleanup:
  356. https://github.com/curl/curl/issues/4852
  357. - file:// transfers
  358. - TELNET transfers
  359. - GSSAPI authentication for FTP transfers
  360. - The "DONE" operation (post transfer protocol-specific actions) for the
  361. protocols SFTP, SMTP, FTP. Fixing multi_done() for this is a worthy task.
  362. - curl_multi_remove_handle for any of the above. See section 2.3.
  363. - Calling curl_ws_send() from a callback
  364. 2.2 Better support for same name resolves
  365. If a name resolve has been initiated for name NN and a second easy handle
  366. wants to resolve that name as well, make it wait for the first resolve to end
  367. up in the cache instead of doing a second separate resolve. This is
  368. especially needed when adding many simultaneous handles using the same host
  369. name when the DNS resolver can get flooded.
  370. 2.3 Non-blocking curl_multi_remove_handle()
  371. The multi interface has a few API calls that assume a blocking behavior, like
  372. add_handle() and remove_handle() which limits what we can do internally. The
  373. multi API need to be moved even more into a single function that "drives"
  374. everything in a non-blocking manner and signals when something is done. A
  375. remove or add would then only ask for the action to get started and then
  376. multi_perform() etc still be called until the add/remove is completed.
  377. 2.4 Split connect and authentication process
  378. The multi interface treats the authentication process as part of the connect
  379. phase. As such any failures during authentication does not trigger the
  380. relevant QUIT or LOGOFF for protocols such as IMAP, POP3 and SMTP.
  381. 2.5 Edge-triggered sockets should work
  382. The multi_socket API should work with edge-triggered socket events. One of
  383. the internal actions that need to be improved for this to work perfectly is
  384. the 'maxloops' handling in transfer.c:readwrite_data().
  385. 2.6 multi upkeep
  386. In libcurl 7.62.0 we introduced curl_easy_upkeep. It unfortunately only works
  387. on easy handles. We should introduces a version of that for the multi handle,
  388. and also consider doing "upkeep" automatically on connections in the
  389. connection pool when the multi handle is in used.
  390. See https://github.com/curl/curl/issues/3199
  391. 2.7 Virtual external sockets
  392. libcurl performs operations on the given file descriptor that presumes it is
  393. a socket and an application cannot replace them at the moment. Allowing an
  394. application to fully replace those would allow a larger degree of freedom and
  395. flexibility.
  396. See https://github.com/curl/curl/issues/5835
  397. 2.8 dynamically decide to use socketpair
  398. For users who do not use curl_multi_wait() or do not care for
  399. curl_multi_wakeup(), we could introduce a way to make libcurl NOT
  400. create a socketpair in the multi handle.
  401. See https://github.com/curl/curl/issues/4829
  402. 3. Documentation
  403. 3.1 Improve documentation about fork safety
  404. See https://github.com/curl/curl/issues/6968
  405. 4. FTP
  406. 4.1 HOST
  407. HOST is a command for a client to tell which hostname to use, to offer FTP
  408. servers named-based virtual hosting:
  409. https://datatracker.ietf.org/doc/html/rfc7151
  410. 4.4 Support CURLOPT_PREQUOTE for directions listings
  411. The lack of support is mostly an oversight and requires the FTP state machine
  412. to get updated to get fixed.
  413. https://github.com/curl/curl/issues/8602
  414. 4.6 GSSAPI via Windows SSPI
  415. In addition to currently supporting the SASL GSSAPI mechanism (Kerberos V5)
  416. via third-party GSS-API libraries, such as Heimdal or MIT Kerberos, also add
  417. support for GSSAPI authentication via Windows SSPI.
  418. 4.7 STAT for LIST without data connection
  419. Some FTP servers allow STAT for listing directories instead of using LIST,
  420. and the response is then sent over the control connection instead of as the
  421. otherwise usedw data connection: https://www.nsftools.com/tips/RawFTP.htm#STAT
  422. This is not detailed in any FTP specification.
  423. 4.8 Passive transfer could try other IP addresses
  424. When doing FTP operations through a proxy at localhost, the reported spotted
  425. that curl only tried to connect once to the proxy, while it had multiple
  426. addresses and a failed connect on one address should make it try the next.
  427. After switching to passive mode (EPSV), curl could try all IP addresses for
  428. "localhost". Currently it tries ::1, but it should also try 127.0.0.1.
  429. See https://github.com/curl/curl/issues/1508
  430. 5. HTTP
  431. 5.1 Provide the error body from a CONNECT response
  432. When curl receives a body response from a CONNECT request to a proxy, it
  433. always just reads and ignores it. It would make some users happy if curl
  434. instead optionally would be able to make that responsible available. Via a
  435. new callback? Through some other means?
  436. See https://github.com/curl/curl/issues/9513
  437. 5.2 Obey Retry-After in redirects
  438. The Retry-After is said to dicate "the minimum time that the user agent is
  439. asked to wait before issuing the redirected request" and libcurl does not
  440. obey this.
  441. See https://github.com/curl/curl/issues/11447
  442. 5.3 Rearrange request header order
  443. Server implementers often make an effort to detect browser and to reject
  444. clients it can detect to not match. One of the last details we cannot yet
  445. control in libcurl's HTTP requests, which also can be exploited to detect
  446. that libcurl is in fact used even when it tries to impersonate a browser, is
  447. the order of the request headers. I propose that we introduce a new option in
  448. which you give headers a value, and then when the HTTP request is built it
  449. sorts the headers based on that number. We could then have internally created
  450. headers use a default value so only headers that need to be moved have to be
  451. specified.
  452. 5.4 Allow SAN names in HTTP/2 server push
  453. curl only allows HTTP/2 push promise if the provided :authority header value
  454. exactly matches the hostname given in the URL. It could be extended to allow
  455. any name that would match the Subject Alternative Names in the server's TLS
  456. certificate.
  457. See https://github.com/curl/curl/pull/3581
  458. 5.5 auth= in URLs
  459. Add the ability to specify the preferred authentication mechanism to use by
  460. using ;auth=<mech> in the login part of the URL.
  461. For example:
  462. http://test:pass;auth=NTLM@example.com would be equivalent to specifying
  463. --user test:pass;auth=NTLM or --user test:pass --ntlm from the command line.
  464. Additionally this should be implemented for proxy base URLs as well.
  465. 5.6 alt-svc should fallback if alt-svc does not work
  466. The alt-svc: header provides a set of alternative services for curl to use
  467. instead of the original. If the first attempted one fails, it should try the
  468. next etc and if all alternatives fail go back to the original.
  469. See https://github.com/curl/curl/issues/4908
  470. 5.7 Require HTTP version X or higher
  471. curl and libcurl provide options for trying higher HTTP versions (for example
  472. HTTP/2) but then still allows the server to pick version 1.1. We could
  473. consider adding a way to require a minimum version.
  474. See https://github.com/curl/curl/issues/7980
  475. 6. TELNET
  476. 6.1 ditch stdin
  477. Reading input (to send to the remote server) on stdin is a crappy solution
  478. for library purposes. We need to invent a good way for the application to be
  479. able to provide the data to send.
  480. 6.2 ditch telnet-specific select
  481. Move the telnet support's network select() loop go away and merge the code
  482. into the main transfer loop. Until this is done, the multi interface does not
  483. work for telnet.
  484. 6.3 feature negotiation debug data
  485. Add telnet feature negotiation data to the debug callback as header data.
  486. 6.4 exit immediately upon connection if stdin is /dev/null
  487. If it did, curl could be used to probe if there is an server there listening
  488. on a specific port. That is, the following command would exit immediately
  489. after the connection is established with exit code 0:
  490. curl -s --connect-timeout 2 telnet://example.com:80 </dev/null
  491. 7. SMTP
  492. 7.1 Passing NOTIFY option to CURLOPT_MAIL_RCPT
  493. Is there a way to pass the NOTIFY option to the CURLOPT_MAIL_RCPT option ? I
  494. set a string that already contains a bracket. For instance something like
  495. that: curl_slist_append( recipients, "<foo@bar> NOTIFY=SUCCESS,FAILURE" );
  496. https://github.com/curl/curl/issues/8232
  497. 7.2 Enhanced capability support
  498. Add the ability, for an application that uses libcurl, to obtain the list of
  499. capabilities returned from the EHLO command.
  500. 7.3 Add CURLOPT_MAIL_CLIENT option
  501. Rather than use the URL to specify the mail client string to present in the
  502. HELO and EHLO commands, libcurl should support a new CURLOPT specifically for
  503. specifying this data as the URL is non-standard and to be honest a bit of a
  504. hack ;-)
  505. Please see the following thread for more information:
  506. https://curl.se/mail/lib-2012-05/0178.html
  507. 8. POP3
  508. 8.2 Enhanced capability support
  509. Add the ability, for an application that uses libcurl, to obtain the list of
  510. capabilities returned from the CAPA command.
  511. 9. IMAP
  512. 9.1 Enhanced capability support
  513. Add the ability, for an application that uses libcurl, to obtain the list of
  514. capabilities returned from the CAPABILITY command.
  515. 9.2 upload unread
  516. Uploads over IMAP currently always set the email as "read" (or "seen"). It
  517. would be good to offer a way for users to select for uploads to remain
  518. unread.
  519. 10. LDAP
  520. 10.1 SASL based authentication mechanisms
  521. Currently the LDAP module only supports ldap_simple_bind_s() in order to bind
  522. to an LDAP server. However, this function sends username and password details
  523. using the simple authentication mechanism (as clear text). However, it should
  524. be possible to use ldap_bind_s() instead specifying the security context
  525. information ourselves.
  526. 10.2 CURLOPT_SSL_CTX_FUNCTION for LDAPS
  527. CURLOPT_SSL_CTX_FUNCTION works perfectly for HTTPS and email protocols, but
  528. it has no effect for LDAPS connections.
  529. https://github.com/curl/curl/issues/4108
  530. 10.3 Paged searches on LDAP server
  531. https://github.com/curl/curl/issues/4452
  532. 10.4 Certificate-Based Authentication
  533. LDAPS not possible with macOS and Windows with Certificate-Based Authentication
  534. https://github.com/curl/curl/issues/9641
  535. 11. SMB
  536. 11.1 File listing support
  537. Add support for listing the contents of a SMB share. The output should
  538. probably be the same as/similar to FTP.
  539. 11.2 Honor file timestamps
  540. The timestamp of the transferred file should reflect that of the original
  541. file.
  542. 11.3 Use NTLMv2
  543. Currently the SMB authentication uses NTLMv1.
  544. 11.4 Create remote directories
  545. Support for creating remote directories when uploading a file to a directory
  546. that does not exist on the server, just like --ftp-create-dirs.
  547. 12. FILE
  548. 12.1 Directory listing on non-POSIX
  549. Listing the contents of a directory accessed with FILE only works on
  550. platforms with opendir. Support could be added for more systems, like
  551. Windows.
  552. 13. TLS
  553. 13.1 TLS-PSK with OpenSSL
  554. Transport Layer Security pre-shared key ciphersuites (TLS-PSK) is a set of
  555. cryptographic protocols that provide secure communication based on pre-shared
  556. keys (PSKs). These pre-shared keys are symmetric keys shared in advance among
  557. the communicating parties.
  558. https://github.com/curl/curl/issues/5081
  559. 13.2 TLS channel binding
  560. TLS 1.2 and 1.3 provide the ability to extract some secret data from the TLS
  561. connection and use it in the client request (usually in some sort of
  562. authentication) to ensure that the data sent is bound to the specific TLS
  563. connection and cannot be successfully intercepted by a proxy. This
  564. functionality can be used in a standard authentication mechanism such as
  565. GSS-API or SCRAM, or in custom approaches like custom HTTP Authentication
  566. headers.
  567. For TLS 1.2, the binding type is usually tls-unique, and for TLS 1.3 it is
  568. tls-exporter.
  569. https://datatracker.ietf.org/doc/html/rfc5929
  570. https://datatracker.ietf.org/doc/html/rfc9266
  571. https://github.com/curl/curl/issues/9226
  572. 13.3 Defeat TLS fingerprinting
  573. By changing the order of TLS extensions provided in the TLS handshake, it is
  574. sometimes possible to circumvent TLS fingerprinting by servers. The TLS
  575. extension order is of course not the only way to fingerprint a client.
  576. 13.4 Consider OCSP stapling by default
  577. Treat a negative response a reason for aborting the connection. Since OCSP
  578. stapling is presumed to get used much less in the future when Let's Encrypt
  579. drops the OCSP support, the benefit of this might however be limited.
  580. https://github.com/curl/curl/issues/15483
  581. 13.5 Export session ids
  582. Add an interface to libcurl that enables "session IDs" to get
  583. exported/imported. Cris Bailiff said: "OpenSSL has functions which can
  584. serialise the current SSL state to a buffer of your choice, and recover/reset
  585. the state from such a buffer at a later date - this is used by mod_ssl for
  586. apache to implement and SSL session ID cache".
  587. 13.6 Provide callback for cert verification
  588. OpenSSL supports a callback for customised verification of the peer
  589. certificate, but this does not seem to be exposed in the libcurl APIs. Could
  590. it be? There is so much that could be done if it were.
  591. 13.7 Less memory massaging with Schannel
  592. The Schannel backend does a lot of custom memory management we would rather
  593. avoid: the repeated alloc + free in sends and the custom memory + realloc
  594. system for encrypted and decrypted data. That should be avoided and reduced
  595. for 1) efficiency and 2) safety.
  596. 13.8 Support DANE
  597. DNS-Based Authentication of Named Entities (DANE) is a way to provide SSL
  598. keys and certs over DNS using DNSSEC as an alternative to the CA model.
  599. https://www.rfc-editor.org/rfc/rfc6698.txt
  600. An initial patch was posted by Suresh Krishnaswamy on March 7th 2013
  601. (https://curl.se/mail/lib-2013-03/0075.html) but it was a too simple
  602. approach. See Daniel's comments:
  603. https://curl.se/mail/lib-2013-03/0103.html . libunbound may be the
  604. correct library to base this development on.
  605. Björn Stenberg wrote a separate initial take on DANE that was never
  606. completed.
  607. 13.9 TLS record padding
  608. TLS (1.3) offers optional record padding and OpenSSL provides an API for it.
  609. I could make sense for libcurl to offer this ability to applications to make
  610. traffic patterns harder to figure out by network traffic observers.
  611. See https://github.com/curl/curl/issues/5398
  612. 13.10 Support Authority Information Access certificate extension (AIA)
  613. AIA can provide various things like CRLs but more importantly information
  614. about intermediate CA certificates that can allow validation path to be
  615. fulfilled when the HTTPS server does not itself provide them.
  616. Since AIA is about downloading certs on demand to complete a TLS handshake,
  617. it is probably a bit tricky to get done right.
  618. See https://github.com/curl/curl/issues/2793
  619. 13.11 Some TLS options are not offered for HTTPS proxies
  620. Some TLS related options to the command line tool and libcurl are only
  621. provided for the server and not for HTTPS proxies. --proxy-tls-max,
  622. --proxy-tlsv1.3, --proxy-curves and a few more.
  623. For more Documentation on this see:
  624. https://curl.se/libcurl/c/tls-options.html
  625. https://github.com/curl/curl/issues/12286
  626. 13.13 Make sure we forbid TLS 1.3 post-handshake authentication
  627. RFC 8740 explains how using HTTP/2 must forbid the use of TLS 1.3
  628. post-handshake authentication. We should make sure to live up to that.
  629. See https://github.com/curl/curl/issues/5396
  630. 13.14 Support the clienthello extension
  631. Certain stupid networks and middle boxes have a problem with SSL handshake
  632. packets that are within a certain size range because how that sets some bits
  633. that previously (in older TLS version) were not set. The clienthello
  634. extension adds padding to avoid that size range.
  635. https://datatracker.ietf.org/doc/html/rfc7685
  636. https://github.com/curl/curl/issues/2299
  637. 13.15 Select signature algorithms
  638. Consider adding an option or a way for users to select TLS signature
  639. algorithm. The signature algorithms set by a client are used directly in the
  640. supported signature algorithm in the client hello message.
  641. https://github.com/curl/curl/issues/12982
  642. 13.16 Share the CA cache
  643. For TLS backends that supports CA caching, it makes sense to allow the share
  644. object to be used to store the CA cache as well via the share API. Would
  645. allow multiple easy handles to reuse the CA cache and save themselves from a
  646. lot of extra processing overhead.
  647. 13.17 Add missing features to TLS backends
  648. The feature matrix at https://curl.se/libcurl/c/tls-options.html shows which
  649. features are supported by which TLS backends, and thus also where there are
  650. feature gaps.
  651. 15. Schannel
  652. 15.1 Extend support for client certificate authentication
  653. The existing support for the -E/--cert and --key options could be
  654. extended by supplying a custom certificate and key in PEM format, see:
  655. - Getting a Certificate for Schannel
  656. https://msdn.microsoft.com/en-us/library/windows/desktop/aa375447.aspx
  657. 15.2 Extend support for the --ciphers option
  658. The existing support for the --ciphers option could be extended
  659. by mapping the OpenSSL/GnuTLS cipher suites to the Schannel APIs, see
  660. - Specifying Schannel Ciphers and Cipher Strengths
  661. https://msdn.microsoft.com/en-us/library/windows/desktop/aa380161.aspx
  662. 15.4 Add option to allow abrupt server closure
  663. libcurl with Schannel errors without a known termination point from the server
  664. (such as length of transfer, or SSL "close notify" alert) to prevent against
  665. a truncation attack. Really old servers may neglect to send any termination
  666. point. An option could be added to ignore such abrupt closures.
  667. https://github.com/curl/curl/issues/4427
  668. 16. SASL
  669. 16.1 Other authentication mechanisms
  670. Add support for other authentication mechanisms such as OLP,
  671. GSS-SPNEGO and others.
  672. 16.2 Add QOP support to GSSAPI authentication
  673. Currently the GSSAPI authentication only supports the default QOP of auth
  674. (Authentication), whilst Kerberos V5 supports both auth-int (Authentication
  675. with integrity protection) and auth-conf (Authentication with integrity and
  676. privacy protection).
  677. 17. SSH protocols
  678. 17.1 Multiplexing
  679. SSH is a perfectly fine multiplexed protocols which would allow libcurl to do
  680. multiple parallel transfers from the same host using the same connection,
  681. much in the same spirit as HTTP/2 does. libcurl however does not take
  682. advantage of that ability but does instead always create a new connection for
  683. new transfers even if an existing connection already exists to the host.
  684. To fix this, libcurl would have to detect an existing connection and "attach"
  685. the new transfer to the existing one.
  686. 17.2 Handle growing SFTP files
  687. The SFTP code in libcurl checks the file size *before* a transfer starts and
  688. then proceeds to transfer exactly that amount of data. If the remote file
  689. grows while the transfer is in progress libcurl does not notice and does not
  690. adapt. The OpenSSH SFTP command line tool does and libcurl could also just
  691. attempt to download more to see if there is more to get...
  692. https://github.com/curl/curl/issues/4344
  693. 17.3 Read keys from ~/.ssh/id_ecdsa, id_ed25519
  694. The libssh2 backend in curl is limited to only reading keys from id_rsa and
  695. id_dsa, which makes it fail connecting to servers that use more modern key
  696. types.
  697. https://github.com/curl/curl/issues/8586
  698. 17.4 Support CURLOPT_PREQUOTE
  699. The two other QUOTE options are supported for SFTP, but this was left out for
  700. unknown reasons.
  701. 17.5 SSH over HTTPS proxy with more backends
  702. The SSH based protocols SFTP and SCP did not work over HTTPS proxy at
  703. all until PR https://github.com/curl/curl/pull/6021 brought the
  704. functionality with the libssh2 backend. Presumably, this support
  705. can/could be added for the other backends as well.
  706. 17.6 SFTP with SCP://
  707. OpenSSH 9 switched their 'scp' tool to speak SFTP under the hood. Going
  708. forward it might be worth having curl or libcurl attempt SFTP if SCP fails to
  709. follow suite.
  710. 18. Command line tool
  711. 18.1 sync
  712. "curl --sync http://example.com/feed[1-100].rss" or
  713. "curl --sync http://example.net/{index,calendar,history}.html"
  714. Downloads a range or set of URLs using the remote name, but only if the
  715. remote file is newer than the local file. A Last-Modified HTTP date header
  716. should also be used to set the mod date on the downloaded file.
  717. 18.2 glob posts
  718. Globbing support for -d and -F, as in 'curl -d "name=foo[0-9]" URL'.
  719. This is easily scripted though.
  720. 18.4 --proxycommand
  721. Allow the user to make curl run a command and use its stdio to make requests
  722. and not do any network connection by itself. Example:
  723. curl --proxycommand 'ssh pi@raspberrypi.local -W 10.1.1.75 80' \
  724. http://some/otherwise/unavailable/service.php
  725. See https://github.com/curl/curl/issues/4941
  726. 18.5 UTF-8 filenames in Content-Disposition
  727. RFC 6266 documents how UTF-8 names can be passed to a client in the
  728. Content-Disposition header, and curl does not support this.
  729. https://github.com/curl/curl/issues/1888
  730. 18.6 Option to make -Z merge lined based outputs on stdout
  731. When a user requests multiple lined based files using -Z and sends them to
  732. stdout, curl does not "merge" and send complete lines fine but may send
  733. partial lines from several sources.
  734. https://github.com/curl/curl/issues/5175
  735. 18.7 specify which response codes that make -f/--fail return error
  736. Allows a user to better specify exactly which error code(s) that are fine
  737. and which are errors for their specific uses cases
  738. 18.9 Choose the name of file in braces for complex URLs
  739. When using braces to download a list of URLs and you use complicated names
  740. in the list of alternatives, it could be handy to allow curl to use other
  741. names when saving.
  742. Consider a way to offer that. Possibly like
  743. {partURL1:name1,partURL2:name2,partURL3:name3} where the name following the
  744. colon is the output name.
  745. See https://github.com/curl/curl/issues/221
  746. 18.10 improve how curl works in a Windows console window
  747. If you pull the scrollbar when transferring with curl in a Windows console
  748. window, the transfer is interrupted and can get disconnected. This can
  749. probably be improved. See https://github.com/curl/curl/issues/322
  750. 18.11 Windows: set attribute 'archive' for completed downloads
  751. The archive bit (FILE_ATTRIBUTE_ARCHIVE, 0x20) separates files that shall be
  752. backed up from those that are either not ready or have not changed.
  753. Downloads in progress are neither ready to be backed up, nor should they be
  754. opened by a different process. Only after a download has been completed it is
  755. sensible to include it in any integer snapshot or backup of the system.
  756. See https://github.com/curl/curl/issues/3354
  757. 18.12 keep running, read instructions from pipe/socket
  758. Provide an option that makes curl not exit after the last URL (or even work
  759. without a given URL), and then make it read instructions passed on a pipe or
  760. over a socket to make further instructions so that a second subsequent curl
  761. invoke can talk to the still running instance and ask for transfers to get
  762. done, and thus maintain its connection pool, DNS cache and more.
  763. 18.13 Acknowledge Ratelimit headers
  764. Consider a command line option that can make curl do multiple serial requests
  765. while acknowledging server specified rate limits:
  766. https://datatracker.ietf.org/doc/draft-ietf-httpapi-ratelimit-headers/
  767. See https://github.com/curl/curl/issues/5406
  768. 18.14 --dry-run
  769. A command line option that makes curl show exactly what it would do and send
  770. if it would run for real.
  771. See https://github.com/curl/curl/issues/5426
  772. 18.15 --retry should resume
  773. When --retry is used and curl actually retries transfer, it should use the
  774. already transferred data and do a resumed transfer for the rest (when
  775. possible) so that it does not have to transfer the same data again that was
  776. already transferred before the retry.
  777. See https://github.com/curl/curl/issues/1084
  778. 18.16 send only part of --data
  779. When the user only wants to send a small piece of the data provided with
  780. --data or --data-binary, like when that data is a huge file, consider a way
  781. to specify that curl should only send a piece of that. One suggested syntax
  782. would be: "--data-binary @largefile.zip!1073741823-2147483647".
  783. See https://github.com/curl/curl/issues/1200
  784. 18.17 consider filename from the redirected URL with -O ?
  785. When a user gives a URL and uses -O, and curl follows a redirect to a new
  786. URL, the filename is not extracted and used from the newly redirected-to URL
  787. even if the new URL may have a much more sensible filename.
  788. This is clearly documented and helps for security since there is no surprise
  789. to users which filename that might get overwritten, but maybe a new option
  790. could allow for this or maybe -J should imply such a treatment as well as -J
  791. already allows for the server to decide what filename to use so it already
  792. provides the "may overwrite any file" risk.
  793. This is extra tricky if the original URL has no filename part at all since
  794. then the current code path does error out with an error message, and we
  795. cannot *know* already at that point if curl is redirected to a URL that has a
  796. filename...
  797. See https://github.com/curl/curl/issues/1241
  798. 18.18 retry on network is unreachable
  799. The --retry option retries transfers on "transient failures". We later added
  800. --retry-connrefused to also retry for "connection refused" errors.
  801. Suggestions have been brought to also allow retry on "network is unreachable"
  802. errors and while totally reasonable, maybe we should consider a way to make
  803. this more configurable than to add a new option for every new error people
  804. want to retry for?
  805. https://github.com/curl/curl/issues/1603
  806. 18.19 expand ~/ in config files
  807. For example .curlrc could benefit from being able to do this.
  808. See https://github.com/curl/curl/issues/2317
  809. 18.20 hostname sections in config files
  810. config files would be more powerful if they could set different
  811. configurations depending on used URLs, hostname or possibly origin. Then a
  812. default .curlrc could a specific user-agent only when doing requests against
  813. a certain site.
  814. 18.21 retry on the redirected-to URL
  815. When curl is told to --retry a failed transfer and follows redirects, it
  816. might get an HTTP 429 response from the redirected-to URL and not the
  817. original one, which then could make curl decide to rather retry the transfer
  818. on that URL only instead of the original operation to the original URL.
  819. Perhaps extra emphasized if the original transfer is a large POST that
  820. redirects to a separate GET, and that GET is what gets the 529
  821. See https://github.com/curl/curl/issues/5462
  822. 18.23 Set the modification date on an uploaded file
  823. For SFTP and possibly FTP, curl could offer an option to set the
  824. modification time for the uploaded file.
  825. See https://github.com/curl/curl/issues/5768
  826. 18.24 Use multiple parallel transfers for a single download
  827. To enhance transfer speed, downloading a single URL can be split up into
  828. multiple separate range downloads that get combined into a single final
  829. result.
  830. An ideal implementation would not use a specified number of parallel
  831. transfers, but curl could:
  832. - First start getting the full file as transfer A
  833. - If after N seconds have passed and the transfer is expected to continue for
  834. M seconds or more, add a new transfer (B) that asks for the second half of
  835. A's content (and stop A at the middle).
  836. - If splitting up the work improves the transfer rate, it could then be done
  837. again. Then again, etc up to a limit.
  838. This way, if transfer B fails (because Range: is not supported) it lets
  839. transfer A remain the single one. N and M could be set to some sensible
  840. defaults.
  841. See https://github.com/curl/curl/issues/5774
  842. 18.25 Prevent terminal injection when writing to terminal
  843. curl could offer an option to make escape sequence either non-functional or
  844. avoid cursor moves or similar to reduce the risk of a user getting tricked by
  845. clever tricks.
  846. See https://github.com/curl/curl/issues/6150
  847. 18.26 Custom progress meter update interval
  848. Users who are for example doing large downloads in CI or remote setups might
  849. want the occasional progress meter update to see that the transfer is
  850. progressing and has not stuck, but they may not appreciate the
  851. many-times-a-second frequency curl can end up doing it with now.
  852. 18.27 -J and -O with %-encoded filenames
  853. -J/--remote-header-name does not decode %-encoded filenames. RFC 6266 details
  854. how it should be done. The can of worm is basically that we have no charset
  855. handling in curl and ASCII >=128 is a challenge for us. Not to mention that
  856. decoding also means that we need to check for nastiness that is attempted,
  857. like "../" sequences and the like. Probably everything to the left of any
  858. embedded slashes should be cut off.
  859. https://curl.se/bug/view.cgi?id=1294
  860. -O also does not decode %-encoded names, and while it has even less
  861. information about the charset involved the process is similar to the -J case.
  862. Note that we do not decode -O without the user asking for it with some other
  863. means, since -O has always been documented to use the name exactly as
  864. specified in the URL.
  865. 18.28 -J with -C -
  866. When using -J (with -O), automatically resumed downloading together with "-C
  867. -" fails. Without -J the same command line works. This happens because the
  868. resume logic is worked out before the target filename (and thus its
  869. pre-transfer size) has been figured out. This can be improved.
  870. https://curl.se/bug/view.cgi?id=1169
  871. 18.29 --retry and transfer timeouts
  872. If using --retry and the transfer timeouts (possibly due to using -m or
  873. -y/-Y) the next attempt does not resume the transfer properly from what was
  874. downloaded in the previous attempt but truncates and restarts at the original
  875. position where it was at before the previous failed attempt. See
  876. https://curl.se/mail/lib-2008-01/0080.html and Mandriva bug report
  877. https://qa.mandriva.com/show_bug.cgi?id=22565
  878. 19. Build
  879. 19.2 Enable PIE and RELRO by default
  880. Especially when having programs that execute curl via the command line, PIE
  881. renders the exploitation of memory corruption vulnerabilities a lot more
  882. difficult. This can be attributed to the additional information leaks being
  883. required to conduct a successful attack. RELRO, on the other hand, masks
  884. different binary sections like the GOT as read-only and thus kills a handful
  885. of techniques that come in handy when attackers are able to arbitrarily
  886. overwrite memory. A few tests showed that enabling these features had close
  887. to no impact, neither on the performance nor on the general functionality of
  888. curl.
  889. 19.3 Do not use GNU libtool on OpenBSD
  890. When compiling curl on OpenBSD with "--enable-debug" it gives linking errors
  891. when you use GNU libtool. This can be fixed by using the libtool provided by
  892. OpenBSD itself. However for this the user always needs to invoke make with
  893. "LIBTOOL=/usr/bin/libtool". It would be nice if the script could have some
  894. magic to detect if this system is an OpenBSD host and then use the OpenBSD
  895. libtool instead.
  896. See https://github.com/curl/curl/issues/5862
  897. 19.4 Package curl for Windows in a signed installer
  898. See https://github.com/curl/curl/issues/5424
  899. 19.5 make configure use --cache-file more and better
  900. The configure script can be improved to cache more values so that repeated
  901. invokes run much faster.
  902. See https://github.com/curl/curl/issues/7753
  903. 20. Test suite
  904. 20.1 SSL tunnel
  905. Make our own version of stunnel for simple port forwarding to enable HTTPS
  906. and FTP-SSL tests without the stunnel dependency, and it could allow us to
  907. provide test tools built with either OpenSSL or GnuTLS
  908. 20.2 nicer lacking perl message
  909. If perl was not found by the configure script, do not attempt to run the tests
  910. but explain something nice why it does not.
  911. 20.3 more protocols supported
  912. Extend the test suite to include more protocols. The telnet could just do FTP
  913. or http operations (for which we have test servers).
  914. 20.4 more platforms supported
  915. Make the test suite work on more platforms. OpenBSD and macOS. Remove
  916. fork()s and it should become even more portable.
  917. 20.6 Use the RFC 6265 test suite
  918. A test suite made for HTTP cookies (RFC 6265) by Adam Barth is available at
  919. https://github.com/abarth/http-state/tree/master/tests
  920. It would be good if someone would write a script/setup that would run curl
  921. with that test suite and detect deviances. Ideally, that would even be
  922. incorporated into our regular test suite.
  923. 20.8 Run web-platform-tests URL tests
  924. Run web-platform-tests URL tests and compare results with browsers on wpt.fyi
  925. It would help us find issues to fix and help us document where our parser
  926. differs from the WHATWG URL spec parsers.
  927. See https://github.com/curl/curl/issues/4477
  928. 21. MQTT
  929. 21.1 Support rate-limiting
  930. The rate-limiting logic is done in the PERFORMING state in multi.c but MQTT
  931. is not (yet) implemented to use that.
  932. 21.2 Support MQTTS
  933. 21.3 Handle network blocks
  934. Running test suite with
  935. `CURL_DBG_SOCK_WBLOCK=90 ./runtests.pl -a mqtt` makes several
  936. MQTT test cases fail where they should not.
  937. 22. TFTP
  938. 22.1 TFTP does not convert LF to CRLF for mode=netascii
  939. RFC 3617 defines that an TFTP transfer can be done using "netascii"
  940. mode. curl does not support extracting that mode from the URL nor does it treat
  941. such transfers specifically. It should probably do LF to CRLF translations
  942. for them.
  943. See https://github.com/curl/curl/issues/12655
  944. 23. Gopher
  945. 23.1 Handle network blocks
  946. Running test suite with
  947. `CURL_DBG_SOCK_WBLOCK=90 ./runtests.pl -a 1200 to 1300` makes several
  948. Gopher test cases fail where they should not.