diff options
author | Daniel Stenberg <daniel@haxx.se> | 2018-02-16 09:39:20 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2018-02-16 09:39:20 +0100 |
commit | f549b2cefea239dae06a4afb0cac1319a3e600b4 (patch) | |
tree | 3931ad9cc2531b52738b739feab0e2931b3748a4 | |
parent | 74b1f89b1a7ccb60a6040615a0f20943f369d171 (diff) |
TODO: 1.1 Option to refuse usernames in URLs
Also expanded the CURL_REFUSE_CLEARTEXT section with more ideas.
-rw-r--r-- | docs/TODO | 17 |
1 files changed, 17 insertions, 0 deletions
@@ -17,6 +17,7 @@ All bugs documented in the KNOWN_BUGS document are subject for fixing! 1. libcurl + 1.1 Option to refuse usernames in URLs 1.2 More data sharing 1.3 struct lifreq 1.4 signal-based resolver timeouts @@ -186,6 +187,16 @@ 1. libcurl +1.1 Option to refuse usernames in URLs + + There's a certain risk for application in allowing user names in URLs. For + example: if the wrong person gets to set the URL and manages to set a user + name in there when .netrc is used, the application may send along a password + that otherwise the person couldn't provide. + + A new libcurl option could be added to allow applications to switch off this + feature and thus avoid a potential risk. + 1.2 More data sharing curl_share_* functions already exist and work, and they can be extended to @@ -403,6 +414,12 @@ variable can then help users to block all libcurl-using programs from accessing the network using unsafe protocols. + The variable could be given some sort of syntax or different levels and be + used to also allow for example users to refuse libcurl to do transfers with + HTTPS certificate checks disabled. + + It could also offer to refuse usernames in URLs (see TODO 1.1) + 1.27 hardcode the "localhost" addresses There's this new spec getting adopted that says "localhost" should always and |