aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2018-02-16 09:39:20 +0100
committerDaniel Stenberg <daniel@haxx.se>2018-02-16 09:39:20 +0100
commitf549b2cefea239dae06a4afb0cac1319a3e600b4 (patch)
tree3931ad9cc2531b52738b739feab0e2931b3748a4
parent74b1f89b1a7ccb60a6040615a0f20943f369d171 (diff)
TODO: 1.1 Option to refuse usernames in URLs
Also expanded the CURL_REFUSE_CLEARTEXT section with more ideas.
-rw-r--r--docs/TODO17
1 files changed, 17 insertions, 0 deletions
diff --git a/docs/TODO b/docs/TODO
index d9d7f3e3b..f7b5101d3 100644
--- a/docs/TODO
+++ b/docs/TODO
@@ -17,6 +17,7 @@
All bugs documented in the KNOWN_BUGS document are subject for fixing!
1. libcurl
+ 1.1 Option to refuse usernames in URLs
1.2 More data sharing
1.3 struct lifreq
1.4 signal-based resolver timeouts
@@ -186,6 +187,16 @@
1. libcurl
+1.1 Option to refuse usernames in URLs
+
+ There's a certain risk for application in allowing user names in URLs. For
+ example: if the wrong person gets to set the URL and manages to set a user
+ name in there when .netrc is used, the application may send along a password
+ that otherwise the person couldn't provide.
+
+ A new libcurl option could be added to allow applications to switch off this
+ feature and thus avoid a potential risk.
+
1.2 More data sharing
curl_share_* functions already exist and work, and they can be extended to
@@ -403,6 +414,12 @@
variable can then help users to block all libcurl-using programs from
accessing the network using unsafe protocols.
+ The variable could be given some sort of syntax or different levels and be
+ used to also allow for example users to refuse libcurl to do transfers with
+ HTTPS certificate checks disabled.
+
+ It could also offer to refuse usernames in URLs (see TODO 1.1)
+
1.27 hardcode the "localhost" addresses
There's this new spec getting adopted that says "localhost" should always and