aboutsummaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/TODO17
1 files changed, 17 insertions, 0 deletions
diff --git a/docs/TODO b/docs/TODO
index d9d7f3e3b..f7b5101d3 100644
--- a/docs/TODO
+++ b/docs/TODO
@@ -17,6 +17,7 @@
All bugs documented in the KNOWN_BUGS document are subject for fixing!
1. libcurl
+ 1.1 Option to refuse usernames in URLs
1.2 More data sharing
1.3 struct lifreq
1.4 signal-based resolver timeouts
@@ -186,6 +187,16 @@
1. libcurl
+1.1 Option to refuse usernames in URLs
+
+ There's a certain risk for application in allowing user names in URLs. For
+ example: if the wrong person gets to set the URL and manages to set a user
+ name in there when .netrc is used, the application may send along a password
+ that otherwise the person couldn't provide.
+
+ A new libcurl option could be added to allow applications to switch off this
+ feature and thus avoid a potential risk.
+
1.2 More data sharing
curl_share_* functions already exist and work, and they can be extended to
@@ -403,6 +414,12 @@
variable can then help users to block all libcurl-using programs from
accessing the network using unsafe protocols.
+ The variable could be given some sort of syntax or different levels and be
+ used to also allow for example users to refuse libcurl to do transfers with
+ HTTPS certificate checks disabled.
+
+ It could also offer to refuse usernames in URLs (see TODO 1.1)
+
1.27 hardcode the "localhost" addresses
There's this new spec getting adopted that says "localhost" should always and