1 _ _ ____ _ 2 ___| | | | _ \| | 3 / __| | | | |_) | | 4 | (__| |_| | _ <| |___ 5 \___|\___/|_| \_\_____| 6 7 Things that could be nice to do in the future 8 9 Things to do in project curl. Please tell us what you think, contribute and 10 send us patches that improve things! 11 12 Be aware that these are things that we could do, or have once been considered 13 things we could do. If you want to work on any of these areas, please 14 consider bringing it up for discussions first on the mailing list so that we 15 all agree it is still a good idea for the project! 16 17 All bugs documented in the KNOWN_BUGS document are subject for fixing! 18 19 1. libcurl 20 1.1 TFO support on Windows 21 1.2 Consult %APPDATA% also for .netrc 22 1.3 struct lifreq 23 1.5 get rid of PATH_MAX 24 1.7 Support HTTP/2 for HTTP(S) proxies 25 1.8 CURLOPT_RESOLVE for any port number 26 1.9 Cache negative name resolves 27 1.10 auto-detect proxy 28 1.11 minimize dependencies with dynamically loaded modules 29 1.12 updated DNS server while running 30 1.13 c-ares and CURLOPT_OPENSOCKETFUNCTION 31 1.14 Typesafe curl_easy_setopt() 32 1.15 Monitor connections in the connection pool 33 1.16 Try to URL encode given URL 34 1.17 Add support for IRIs 35 1.18 try next proxy if one doesn't work 36 1.20 SRV and URI DNS records 37 1.22 CURLINFO_PAUSE_STATE 38 1.23 Offer API to flush the connection pool 39 1.24 TCP Fast Open for windows 40 1.25 Expose tried IP addresses that failed 41 1.27 hardcode the "localhost" addresses 42 1.28 FD_CLOEXEC 43 1.29 Upgrade to websockets 44 1.30 config file parsing 45 46 2. libcurl - multi interface 47 2.1 More non-blocking 48 2.2 Better support for same name resolves 49 2.3 Non-blocking curl_multi_remove_handle() 50 2.4 Split connect and authentication process 51 2.5 Edge-triggered sockets should work 52 2.6 multi upkeep 53 54 3. Documentation 55 3.2 Provide cmake config-file 56 57 4. FTP 58 4.1 HOST 59 4.2 Alter passive/active on failure and retry 60 4.3 Earlier bad letter detection 61 4.5 ASCII support 62 4.6 GSSAPI via Windows SSPI 63 4.7 STAT for LIST without data connection 64 4.8 Option to ignore private IP addresses in PASV response 65 66 5. HTTP 67 5.1 Better persistency for HTTP 1.0 68 5.3 Rearrange request header order 69 5.4 Allow SAN names in HTTP/2 server push 70 5.5 auth= in URLs 71 72 6. TELNET 73 6.1 ditch stdin 74 6.2 ditch telnet-specific select 75 6.3 feature negotiation debug data 76 77 7. SMTP 78 7.2 Enhanced capability support 79 7.3 Add CURLOPT_MAIL_CLIENT option 80 81 8. POP3 82 8.2 Enhanced capability support 83 84 9. IMAP 85 9.1 Enhanced capability support 86 87 10. LDAP 88 10.1 SASL based authentication mechanisms 89 90 11. SMB 91 11.1 File listing support 92 11.2 Honor file timestamps 93 11.3 Use NTLMv2 94 11.4 Create remote directories 95 96 12. New protocols 97 98 13. SSL 99 13.2 Provide mutex locking API 100 13.3 Support in-memory certs/ca certs/keys 101 13.4 Cache/share OpenSSL contexts 102 13.5 Export session ids 103 13.6 Provide callback for cert verification 104 13.7 improve configure --with-ssl 105 13.8 Support DANE 106 13.10 Support Authority Information Access certificate extension (AIA) 107 13.11 Support intermediate & root pinning for PINNEDPUBLICKEY 108 13.12 Support HSTS 109 13.14 Support the clienthello extension 110 111 14. GnuTLS 112 14.2 check connection 113 114 15. WinSSL/SChannel 115 15.1 Add support for client certificate authentication 116 15.3 Add support for the --ciphers option 117 15.4 Add option to disable client certificate auto-send 118 119 16. SASL 120 16.1 Other authentication mechanisms 121 16.2 Add QOP support to GSSAPI authentication 122 16.3 Support binary messages (i.e.: non-base64) 123 124 17. SSH protocols 125 17.1 Multiplexing 126 17.2 Handle growing SFTP files 127 17.3 Support better than MD5 hostkey hash 128 17.4 Support CURLOPT_PREQUOTE 129 130 18. Command line tool 131 18.1 sync 132 18.2 glob posts 133 18.3 prevent file overwriting 134 18.5 UTF-8 filenames in Content-Disposition 135 18.7 at least N milliseconds between requests 136 18.9 Choose the name of file in braces for complex URLs 137 18.10 improve how curl works in a windows console window 138 18.11 Windows: set attribute 'archive' for completed downloads 139 18.12 keep running, read instructions from pipe/socket 140 18.15 --retry should resume 141 18.16 send only part of --data 142 18.17 consider file name from the redirected URL with -O ? 143 18.18 retry on network is unreachable 144 18.19 expand ~/ in config files 145 18.20 host name sections in config files 146 147 19. Build 148 19.1 roffit 149 19.2 Enable PIE and RELRO by default 150 19.3 cmake test suite improvements 151 152 20. Test suite 153 20.1 SSL tunnel 154 20.2 nicer lacking perl message 155 20.3 more protocols supported 156 20.4 more platforms supported 157 20.5 Add support for concurrent connections 158 20.6 Use the RFC6265 test suite 159 20.7 Support LD_PRELOAD on macOS 160 161 21. Next SONAME bump 162 21.1 http-style HEAD output for FTP 163 21.2 combine error codes 164 21.3 extend CURLOPT_SOCKOPTFUNCTION prototype 165 166 22. Next major release 167 22.1 cleanup return codes 168 22.2 remove obsolete defines 169 22.3 size_t 170 22.4 remove several functions 171 22.5 remove CURLOPT_FAILONERROR 172 22.7 remove progress meter from libcurl 173 22.8 remove 'curl_httppost' from public 174 175============================================================================== 176 1771. libcurl 178 1791.1 TFO support on Windows 180 181 TCP Fast Open is supported on several platforms but not on Windows. Work on 182 this was once started but never finished. 183 184 See https://github.com/curl/curl/pull/3378 185 1861.2 Consult %APPDATA% also for .netrc 187 188 %APPDATA%\.netrc is not considered when running on Windows. Shouldn't it? 189 190 See https://github.com/curl/curl/issues/4016 191 1921.3 struct lifreq 193 194 Use 'struct lifreq' and SIOCGLIFADDR instead of 'struct ifreq' and 195 SIOCGIFADDR on newer Solaris versions as they claim the latter is obsolete. 196 To support IPv6 interface addresses for network interfaces properly. 197 1981.5 get rid of PATH_MAX 199 200 Having code use and rely on PATH_MAX is not nice: 201 https://insanecoding.blogspot.com/2007/11/pathmax-simply-isnt.html 202 203 Currently the libssh2 SSH based code uses it, but to remove PATH_MAX from 204 there we need libssh2 to properly tell us when we pass in a too small buffer 205 and its current API (as of libssh2 1.2.7) doesn't. 206 2071.7 Support HTTP/2 for HTTP(S) proxies 208 209 Support for doing HTTP/2 to HTTP and HTTPS proxies is still missing. 210 211 See https://github.com/curl/curl/issues/3570 212 2131.8 CURLOPT_RESOLVE for any port number 214 215 This option allows applications to set a replacement IP address for a given 216 host + port pair. Consider making support for providing a replacement address 217 for the host name on all port numbers. 218 219 See https://github.com/curl/curl/issues/1264 220 2211.9 Cache negative name resolves 222 223 A name resolve that has failed is likely to fail when made again within a 224 short period of time. Currently we only cache positive responses. 225 2261.10 auto-detect proxy 227 228 libcurl could be made to detect the system proxy setup automatically and use 229 that. On Windows, macOS and Linux desktops for example. 230 231 The pull-request to use libproxy for this was deferred due to doubts on the 232 reliability of the dependency and how to use it: 233 https://github.com/curl/curl/pull/977 234 235 libdetectproxy is a (C++) library for detecting the proxy on Windows 236 https://github.com/paulharris/libdetectproxy 237 2381.11 minimize dependencies with dynamically loaded modules 239 240 We can create a system with loadable modules/plug-ins, where these modules 241 would be the ones that link to 3rd party libs. That would allow us to avoid 242 having to load ALL dependencies since only the necessary ones for this 243 app/invoke/used protocols would be necessary to load. See 244 https://github.com/curl/curl/issues/349 245 2461.12 updated DNS server while running 247 248 If /etc/resolv.conf gets updated while a program using libcurl is running, it 249 is may cause name resolves to fail unless res_init() is called. We should 250 consider calling res_init() + retry once unconditionally on all name resolve 251 failures to mitigate against this. Firefox works like that. Note that Windows 252 doesn't have res_init() or an alternative. 253 254 https://github.com/curl/curl/issues/2251 255 2561.13 c-ares and CURLOPT_OPENSOCKETFUNCTION 257 258 curl will create most sockets via the CURLOPT_OPENSOCKETFUNCTION callback and 259 close them with the CURLOPT_CLOSESOCKETFUNCTION callback. However, c-ares 260 does not use those functions and instead opens and closes the sockets 261 itself. This means that when curl passes the c-ares socket to the 262 CURLMOPT_SOCKETFUNCTION it isn't owned by the application like other sockets. 263 264 See https://github.com/curl/curl/issues/2734 265 2661.14 Typesafe curl_easy_setopt() 267 268 One of the most common problems in libcurl using applications is the lack of 269 type checks for curl_easy_setopt() which happens because it accepts varargs 270 and thus can take any type. 271 272 One possible solution to this is to introduce a few different versions of the 273 setopt version for the different kinds of data you can set. 274 275 curl_easy_set_num() - sets a long value 276 277 curl_easy_set_large() - sets a curl_off_t value 278 279 curl_easy_set_ptr() - sets a pointer 280 281 curl_easy_set_cb() - sets a callback PLUS its callback data 282 2831.15 Monitor connections in the connection pool 284 285 libcurl's connection cache or pool holds a number of open connections for the 286 purpose of possible subsequent connection reuse. It may contain a few up to a 287 significant amount of connections. Currently, libcurl leaves all connections 288 as they are and first when a connection is iterated over for matching or 289 reuse purpose it is verified that it is still alive. 290 291 Those connections may get closed by the server side for idleness or they may 292 get a HTTP/2 ping from the peer to verify that they're still alive. By adding 293 monitoring of the connections while in the pool, libcurl can detect dead 294 connections (and close them) better and earlier, and it can handle HTTP/2 295 pings to keep such ones alive even when not actively doing transfers on them. 296 2971.16 Try to URL encode given URL 298 299 Given a URL that for example contains spaces, libcurl could have an option 300 that would try somewhat harder than it does now and convert spaces to %20 and 301 perhaps URL encoded byte values over 128 etc (basically do what the redirect 302 following code already does). 303 304 https://github.com/curl/curl/issues/514 305 3061.17 Add support for IRIs 307 308 IRIs (RFC 3987) allow localized, non-ascii, names in the URL. To properly 309 support this, curl/libcurl would need to translate/encode the given input 310 from the input string encoding into percent encoded output "over the wire". 311 312 To make that work smoothly for curl users even on Windows, curl would 313 probably need to be able to convert from several input encodings. 314 3151.18 try next proxy if one doesn't work 316 317 Allow an application to specify a list of proxies to try, and failing to 318 connect to the first go on and try the next instead until the list is 319 exhausted. Browsers support this feature at least when they specify proxies 320 using PACs. 321 322 https://github.com/curl/curl/issues/896 323 3241.20 SRV and URI DNS records 325 326 Offer support for resolving SRV and URI DNS records for libcurl to know which 327 server to connect to for various protocols (including HTTP!). 328 3291.22 CURLINFO_PAUSE_STATE 330 331 Return information about the transfer's current pause state, in both 332 directions. https://github.com/curl/curl/issues/2588 333 3341.23 Offer API to flush the connection pool 335 336 Sometimes applications want to flush all the existing connections kept alive. 337 An API could allow a forced flush or just a forced loop that would properly 338 close all connections that have been closed by the server already. 339 3401.24 TCP Fast Open for windows 341 342 libcurl supports the CURLOPT_TCP_FASTOPEN option since 7.49.0 for Linux and 343 Mac OS. Windows supports TCP Fast Open starting with Windows 10, version 1607 344 and we should add support for it. 345 3461.25 Expose tried IP addresses that failed 347 348 When libcurl fails to connect to a host, it should be able to offer the 349 application the list of IP addresses that were used in the attempt. 350 351 https://github.com/curl/curl/issues/2126 352 3531.27 hardcode the "localhost" addresses 354 355 There's this new spec getting adopted that says "localhost" should always and 356 unconditionally be a local address and not get resolved by a DNS server. A 357 fine way for curl to fix this would be to simply hard-code the response to 358 127.0.0.1 and/or ::1 (depending on what IP versions that are requested). This 359 is what the browsers probably will do with this hostname. 360 361 https://bugzilla.mozilla.org/show_bug.cgi?id=1220810 362 363 https://tools.ietf.org/html/draft-ietf-dnsop-let-localhost-be-localhost-02 364 3651.28 FD_CLOEXEC 366 367 It sets the close-on-exec flag for the file descriptor, which causes the file 368 descriptor to be automatically (and atomically) closed when any of the 369 exec-family functions succeed. Should probably be set by default? 370 371 https://github.com/curl/curl/issues/2252 372 3731.29 Upgrade to websockets 374 375 libcurl could offer a smoother path to get to a websocket connection. 376 See https://github.com/curl/curl/issues/3523 377 378 Michael Kaufmann suggestion here: 379 https://curl.haxx.se/video/curlup-2017/2017-03-19_05_Michael_Kaufmann_Websocket_support_for_curl.mp4 380 3811.30 config file parsing 382 383 Consider providing an API, possibly in a separate companion library, for 384 parsing a config file like curl's -K/--config option to allow applications to 385 get the same ability to read curl options from files. 386 387 See https://github.com/curl/curl/issues/3698 388 3892. libcurl - multi interface 390 3912.1 More non-blocking 392 393 Make sure we don't ever loop because of non-blocking sockets returning 394 EWOULDBLOCK or similar. Blocking cases include: 395 396 - Name resolves on non-windows unless c-ares or the threaded resolver is used 397 - SOCKS proxy handshakes 398 - file:// transfers 399 - TELNET transfers 400 - The "DONE" operation (post transfer protocol-specific actions) for the 401 protocols SFTP, SMTP, FTP. Fixing Curl_done() for this is a worthy task. 402 4032.2 Better support for same name resolves 404 405 If a name resolve has been initiated for name NN and a second easy handle 406 wants to resolve that name as well, make it wait for the first resolve to end 407 up in the cache instead of doing a second separate resolve. This is 408 especially needed when adding many simultaneous handles using the same host 409 name when the DNS resolver can get flooded. 410 4112.3 Non-blocking curl_multi_remove_handle() 412 413 The multi interface has a few API calls that assume a blocking behavior, like 414 add_handle() and remove_handle() which limits what we can do internally. The 415 multi API need to be moved even more into a single function that "drives" 416 everything in a non-blocking manner and signals when something is done. A 417 remove or add would then only ask for the action to get started and then 418 multi_perform() etc still be called until the add/remove is completed. 419 4202.4 Split connect and authentication process 421 422 The multi interface treats the authentication process as part of the connect 423 phase. As such any failures during authentication won't trigger the relevant 424 QUIT or LOGOFF for protocols such as IMAP, POP3 and SMTP. 425 4262.5 Edge-triggered sockets should work 427 428 The multi_socket API should work with edge-triggered socket events. One of 429 the internal actions that need to be improved for this to work perfectly is 430 the 'maxloops' handling in transfer.c:readwrite_data(). 431 4322.6 multi upkeep 433 434 In libcurl 7.62.0 we introduced curl_easy_upkeep. It unfortunately only works 435 on easy handles. We should introduces a version of that for the multi handle, 436 and also consider doing "upkeep" automatically on connections in the 437 connection pool when the multi handle is in used. 438 439 See https://github.com/curl/curl/issues/3199 440 4413. Documentation 442 4433.2 Provide cmake config-file 444 445 A config-file package is a set of files provided by us to allow applications 446 to write cmake scripts to find and use libcurl easier. See 447 https://github.com/curl/curl/issues/885 448 4494. FTP 450 4514.1 HOST 452 453 HOST is a command for a client to tell which host name to use, to offer FTP 454 servers named-based virtual hosting: 455 456 https://tools.ietf.org/html/rfc7151 457 4584.2 Alter passive/active on failure and retry 459 460 When trying to connect passively to a server which only supports active 461 connections, libcurl returns CURLE_FTP_WEIRD_PASV_REPLY and closes the 462 connection. There could be a way to fallback to an active connection (and 463 vice versa). https://curl.haxx.se/bug/feature.cgi?id=1754793 464 4654.3 Earlier bad letter detection 466 467 Make the detection of (bad) %0d and %0a codes in FTP URL parts earlier in the 468 process to avoid doing a resolve and connect in vain. 469 4704.5 ASCII support 471 472 FTP ASCII transfers do not follow RFC959. They don't convert the data 473 accordingly. 474 4754.6 GSSAPI via Windows SSPI 476 477 In addition to currently supporting the SASL GSSAPI mechanism (Kerberos V5) 478 via third-party GSS-API libraries, such as Heimdal or MIT Kerberos, also add 479 support for GSSAPI authentication via Windows SSPI. 480 4814.7 STAT for LIST without data connection 482 483 Some FTP servers allow STAT for listing directories instead of using LIST, 484 and the response is then sent over the control connection instead of as the 485 otherwise usedw data connection: https://www.nsftools.com/tips/RawFTP.htm#STAT 486 487 This is not detailed in any FTP specification. 488 4894.8 Option to ignore private IP addresses in PASV response 490 491 Some servers respond with and some other FTP client implementations can 492 ignore private (RFC 1918 style) IP addresses when received in PASV responses. 493 To consider for libcurl as well. See https://github.com/curl/curl/issues/1455 494 4955. HTTP 496 4975.1 Better persistency for HTTP 1.0 498 499 "Better" support for persistent connections over HTTP 1.0 500 https://curl.haxx.se/bug/feature.cgi?id=1089001 501 5025.3 Rearrange request header order 503 504 Server implementors often make an effort to detect browser and to reject 505 clients it can detect to not match. One of the last details we cannot yet 506 control in libcurl's HTTP requests, which also can be exploited to detect 507 that libcurl is in fact used even when it tries to impersonate a browser, is 508 the order of the request headers. I propose that we introduce a new option in 509 which you give headers a value, and then when the HTTP request is built it 510 sorts the headers based on that number. We could then have internally created 511 headers use a default value so only headers that need to be moved have to be 512 specified. 513 5145.4 Allow SAN names in HTTP/2 server push 515 516 curl only allows HTTP/2 push promise if the provided :authority header value 517 exactly matches the host name given in the URL. It could be extended to allow 518 any name that would match the Subject Alternative Names in the server's TLS 519 certificate. 520 521 See https://github.com/curl/curl/pull/3581 522 5235.5 auth= in URLs 524 525 Add the ability to specify the preferred authentication mechanism to use by 526 using ;auth=<mech> in the login part of the URL. 527 528 For example: 529 530 http://test:pass;auth=NTLM@example.com would be equivalent to specifying 531 --user test:pass;auth=NTLM or --user test:pass --ntlm from the command line. 532 533 Additionally this should be implemented for proxy base URLs as well. 534 535 5366. TELNET 537 5386.1 ditch stdin 539 540 Reading input (to send to the remote server) on stdin is a crappy solution 541 for library purposes. We need to invent a good way for the application to be 542 able to provide the data to send. 543 5446.2 ditch telnet-specific select 545 546 Move the telnet support's network select() loop go away and merge the code 547 into the main transfer loop. Until this is done, the multi interface won't 548 work for telnet. 549 5506.3 feature negotiation debug data 551 552 Add telnet feature negotiation data to the debug callback as header data. 553 554 5557. SMTP 556 5577.2 Enhanced capability support 558 559 Add the ability, for an application that uses libcurl, to obtain the list of 560 capabilities returned from the EHLO command. 561 5627.3 Add CURLOPT_MAIL_CLIENT option 563 564 Rather than use the URL to specify the mail client string to present in the 565 HELO and EHLO commands, libcurl should support a new CURLOPT specifically for 566 specifying this data as the URL is non-standard and to be honest a bit of a 567 hack ;-) 568 569 Please see the following thread for more information: 570 https://curl.haxx.se/mail/lib-2012-05/0178.html 571 572 5738. POP3 574 5758.2 Enhanced capability support 576 577 Add the ability, for an application that uses libcurl, to obtain the list of 578 capabilities returned from the CAPA command. 579 5809. IMAP 581 5829.1 Enhanced capability support 583 584 Add the ability, for an application that uses libcurl, to obtain the list of 585 capabilities returned from the CAPABILITY command. 586 58710. LDAP 588 58910.1 SASL based authentication mechanisms 590 591 Currently the LDAP module only supports ldap_simple_bind_s() in order to bind 592 to an LDAP server. However, this function sends username and password details 593 using the simple authentication mechanism (as clear text). However, it should 594 be possible to use ldap_bind_s() instead specifying the security context 595 information ourselves. 596 59711. SMB 598 59911.1 File listing support 600 601Add support for listing the contents of a SMB share. The output should probably 602be the same as/similar to FTP. 603 60411.2 Honor file timestamps 605 606The timestamp of the transferred file should reflect that of the original file. 607 60811.3 Use NTLMv2 609 610Currently the SMB authentication uses NTLMv1. 611 61211.4 Create remote directories 613 614Support for creating remote directories when uploading a file to a directory 615that doesn't exist on the server, just like --ftp-create-dirs. 616 61712. New protocols 618 61913. SSL 620 62113.2 Provide mutex locking API 622 623 Provide a libcurl API for setting mutex callbacks in the underlying SSL 624 library, so that the same application code can use mutex-locking 625 independently of OpenSSL or GnutTLS being used. 626 62713.3 Support in-memory certs/ca certs/keys 628 629 You can specify the private and public keys for SSH/SSL as file paths. Some 630 programs want to avoid using files and instead just pass them as in-memory 631 data blobs. There's probably a challenge to make this work across the 632 plethory of different TLS and SSH backends that curl supports. 633 https://github.com/curl/curl/issues/2310 634 63513.4 Cache/share OpenSSL contexts 636 637 "Look at SSL cafile - quick traces look to me like these are done on every 638 request as well, when they should only be necessary once per SSL context (or 639 once per handle)". The major improvement we can rather easily do is to make 640 sure we don't create and kill a new SSL "context" for every request, but 641 instead make one for every connection and re-use that SSL context in the same 642 style connections are re-used. It will make us use slightly more memory but 643 it will libcurl do less creations and deletions of SSL contexts. 644 645 Technically, the "caching" is probably best implemented by getting added to 646 the share interface so that easy handles who want to and can reuse the 647 context specify that by sharing with the right properties set. 648 649 https://github.com/curl/curl/issues/1110 650 65113.5 Export session ids 652 653 Add an interface to libcurl that enables "session IDs" to get 654 exported/imported. Cris Bailiff said: "OpenSSL has functions which can 655 serialise the current SSL state to a buffer of your choice, and recover/reset 656 the state from such a buffer at a later date - this is used by mod_ssl for 657 apache to implement and SSL session ID cache". 658 65913.6 Provide callback for cert verification 660 661 OpenSSL supports a callback for customised verification of the peer 662 certificate, but this doesn't seem to be exposed in the libcurl APIs. Could 663 it be? There's so much that could be done if it were! 664 66513.7 improve configure --with-ssl 666 667 make the configure --with-ssl option first check for OpenSSL, then GnuTLS, 668 then NSS... 669 67013.8 Support DANE 671 672 DNS-Based Authentication of Named Entities (DANE) is a way to provide SSL 673 keys and certs over DNS using DNSSEC as an alternative to the CA model. 674 https://www.rfc-editor.org/rfc/rfc6698.txt 675 676 An initial patch was posted by Suresh Krishnaswamy on March 7th 2013 677 (https://curl.haxx.se/mail/lib-2013-03/0075.html) but it was a too simple 678 approach. See Daniel's comments: 679 https://curl.haxx.se/mail/lib-2013-03/0103.html . libunbound may be the 680 correct library to base this development on. 681 682 Björn Stenberg wrote a separate initial take on DANE that was never 683 completed. 684 68513.10 Support Authority Information Access certificate extension (AIA) 686 687 AIA can provide various things like CRLs but more importantly information 688 about intermediate CA certificates that can allow validation path to be 689 fulfilled when the HTTPS server doesn't itself provide them. 690 691 Since AIA is about downloading certs on demand to complete a TLS handshake, 692 it is probably a bit tricky to get done right. 693 694 See https://github.com/curl/curl/issues/2793 695 69613.11 Support intermediate & root pinning for PINNEDPUBLICKEY 697 698 CURLOPT_PINNEDPUBLICKEY does not consider the hashes of intermediate & root 699 certificates when comparing the pinned keys. Therefore it is not compatible 700 with "HTTP Public Key Pinning" as there also intermediate and root certificates 701 can be pinned. This is very useful as it prevents webadmins from "locking 702 themself out of their servers". 703 704 Adding this feature would make curls pinning 100% compatible to HPKP and allow 705 more flexible pinning. 706 70713.12 Support HSTS 708 709 "HTTP Strict Transport Security" is TOFU (trust on first use), time-based 710 features indicated by a HTTP header send by the webserver. It is widely used 711 in browsers and it's purpose is to prevent insecure HTTP connections after 712 a previous HTTPS connection. It protects against SSLStripping attacks. 713 714 Doc: https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security 715 RFC 6797: https://tools.ietf.org/html/rfc6797 716 71713.14 Support the clienthello extension 718 719 Certain stupid networks and middle boxes have a problem with SSL handshake 720 pakets that are within a certain size range because how that sets some bits 721 that previously (in older TLS version) were not set. The clienthello 722 extension adds padding to avoid that size range. 723 724 https://tools.ietf.org/html/rfc7685 725 https://github.com/curl/curl/issues/2299 726 72714. GnuTLS 728 72914.2 check connection 730 731 Add a way to check if the connection seems to be alive, to correspond to the 732 SSL_peak() way we use with OpenSSL. 733 73415. WinSSL/SChannel 735 73615.1 Add support for client certificate authentication 737 738 WinSSL/SChannel currently makes use of the OS-level system and user 739 certificate and private key stores. This does not allow the application 740 or the user to supply a custom client certificate using curl or libcurl. 741 742 Therefore support for the existing -E/--cert and --key options should be 743 implemented by supplying a custom certificate to the SChannel APIs, see: 744 - Getting a Certificate for Schannel 745 https://msdn.microsoft.com/en-us/library/windows/desktop/aa375447.aspx 746 74715.3 Add support for the --ciphers option 748 749 The cipher suites used by WinSSL/SChannel are configured on an OS-level 750 instead of an application-level. This does not allow the application or 751 the user to customize the configured cipher suites using curl or libcurl. 752 753 Therefore support for the existing --ciphers option should be implemented 754 by mapping the OpenSSL/GnuTLS cipher suites to the SChannel APIs, see 755 - Specifying Schannel Ciphers and Cipher Strengths 756 https://msdn.microsoft.com/en-us/library/windows/desktop/aa380161.aspx 757 75815.4 Add option to disable client certificate auto-send 759 760 Microsoft says "By default, Schannel will, with no notification to the client, 761 attempt to locate a client certificate and send it to the server." That could 762 be considered a privacy violation and unexpected. 763 764 Some Windows users have come to expect that default behavior and to change the 765 default to make it consistent with other SSL backends would be a breaking 766 change. An option should be added that can be used to disable the default 767 Schannel auto-send behavior. 768 769 https://github.com/curl/curl/issues/2262 770 77116. SASL 772 77316.1 Other authentication mechanisms 774 775 Add support for other authentication mechanisms such as OLP, 776 GSS-SPNEGO and others. 777 77816.2 Add QOP support to GSSAPI authentication 779 780 Currently the GSSAPI authentication only supports the default QOP of auth 781 (Authentication), whilst Kerberos V5 supports both auth-int (Authentication 782 with integrity protection) and auth-conf (Authentication with integrity and 783 privacy protection). 784 78516.3 Support binary messages (i.e.: non-base64) 786 787 Mandatory to support LDAP SASL authentication. 788 789 79017. SSH protocols 791 79217.1 Multiplexing 793 794 SSH is a perfectly fine multiplexed protocols which would allow libcurl to do 795 multiple parallel transfers from the same host using the same connection, 796 much in the same spirit as HTTP/2 does. libcurl however does not take 797 advantage of that ability but will instead always create a new connection for 798 new transfers even if an existing connection already exists to the host. 799 800 To fix this, libcurl would have to detect an existing connection and "attach" 801 the new transfer to the existing one. 802 80317.2 Handle growing SFTP files 804 805 The SFTP code in libcurl checks the file size *before* a transfer starts and 806 then proceeds to transfer exactly that amount of data. If the remote file 807 grows while the tranfer is in progress libcurl won't notice and will not 808 adapt. The OpenSSH SFTP command line tool does and libcurl could also just 809 attempt to download more to see if there is more to get... 810 811 https://github.com/curl/curl/issues/4344 812 81317.3 Support better than MD5 hostkey hash 814 815 libcurl offers the CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 option for verifying the 816 server's key. MD5 is generally being deprecated so we should implement 817 support for stronger hashing algorithms. libssh2 itself is what provides this 818 underlying functionality and it supports at least SHA-1 as an alternative. 819 SHA-1 is also being deprecated these days so we should consider working with 820 libssh2 to instead offer support for SHA-256 or similar. 821 82217.4 Support CURLOPT_PREQUOTE 823 824 The two other QUOTE options are supported for SFTP, but this was left out for 825 unknown reasons! 826 82718. Command line tool 828 82918.1 sync 830 831 "curl --sync http://example.com/feed[1-100].rss" or 832 "curl --sync http://example.net/{index,calendar,history}.html" 833 834 Downloads a range or set of URLs using the remote name, but only if the 835 remote file is newer than the local file. A Last-Modified HTTP date header 836 should also be used to set the mod date on the downloaded file. 837 83818.2 glob posts 839 840 Globbing support for -d and -F, as in 'curl -d "name=foo[0-9]" URL'. 841 This is easily scripted though. 842 84318.3 prevent file overwriting 844 845 Add an option that prevents curl from overwriting existing local files. When 846 used, and there already is an existing file with the target file name 847 (either -O or -o), a number should be appended (and increased if already 848 existing). So that index.html becomes first index.html.1 and then 849 index.html.2 etc. 850 85118.5 UTF-8 filenames in Content-Disposition 852 853 RFC 6266 documents how UTF-8 names can be passed to a client in the 854 Content-Disposition header, and curl does not support this. 855 856 https://github.com/curl/curl/issues/1888 857 85818.7 at least N milliseconds between requests 859 860 Allow curl command lines issue a lot of request against services that limit 861 users to no more than N requests/second or similar. Could be implemented with 862 an option asking that at least a certain time has elapsed since the previous 863 request before the next one will be performed. Example: 864 865 $ curl "https://example.com/api?input=[1-1000]" -d yadayada --after 500 866 867 See https://github.com/curl/curl/issues/3920 868 86918.9 Choose the name of file in braces for complex URLs 870 871 When using braces to download a list of URLs and you use complicated names 872 in the list of alternatives, it could be handy to allow curl to use other 873 names when saving. 874 875 Consider a way to offer that. Possibly like 876 {partURL1:name1,partURL2:name2,partURL3:name3} where the name following the 877 colon is the output name. 878 879 See https://github.com/curl/curl/issues/221 880 88118.10 improve how curl works in a windows console window 882 883 If you pull the scrollbar when transferring with curl in a Windows console 884 window, the transfer is interrupted and can get disconnected. This can 885 probably be improved. See https://github.com/curl/curl/issues/322 886 88718.11 Windows: set attribute 'archive' for completed downloads 888 889 The archive bit (FILE_ATTRIBUTE_ARCHIVE, 0x20) separates files that shall be 890 backed up from those that are either not ready or have not changed. 891 892 Downloads in progress are neither ready to be backed up, nor should they be 893 opened by a different process. Only after a download has been completed it's 894 sensible to include it in any integer snapshot or backup of the system. 895 896 See https://github.com/curl/curl/issues/3354 897 89818.12 keep running, read instructions from pipe/socket 899 900 Provide an option that makes curl not exit after the last URL (or even work 901 without a given URL), and then make it read instructions passed on a pipe or 902 over a socket to make further instructions so that a second subsequent curl 903 invoke can talk to the still running instance and ask for transfers to get 904 done, and thus maintain its connection pool, DNS cache and more. 905 90618.15 --retry should resume 907 908 When --retry is used and curl actually retries transfer, it should use the 909 already transferred data and do a resumed transfer for the rest (when 910 possible) so that it doesn't have to transfer the same data again that was 911 already transferred before the retry. 912 913 See https://github.com/curl/curl/issues/1084 914 91518.16 send only part of --data 916 917 When the user only wants to send a small piece of the data provided with 918 --data or --data-binary, like when that data is a huge file, consider a way 919 to specify that curl should only send a piece of that. One suggested syntax 920 would be: "--data-binary @largefile.zip!1073741823-2147483647". 921 922 See https://github.com/curl/curl/issues/1200 923 92418.17 consider file name from the redirected URL with -O ? 925 926 When a user gives a URL and uses -O, and curl follows a redirect to a new 927 URL, the file name is not extracted and used from the newly redirected-to URL 928 even if the new URL may have a much more sensible file name. 929 930 This is clearly documented and helps for security since there's no surprise 931 to users which file name that might get overwritten. But maybe a new option 932 could allow for this or maybe -J should imply such a treatment as well as -J 933 already allows for the server to decide what file name to use so it already 934 provides the "may overwrite any file" risk. 935 936 This is extra tricky if the original URL has no file name part at all since 937 then the current code path will error out with an error message, and we can't 938 *know* already at that point if curl will be redirected to a URL that has a 939 file name... 940 941 See https://github.com/curl/curl/issues/1241 942 94318.18 retry on network is unreachable 944 945 The --retry option retries transfers on "transient failures". We later added 946 --retry-connrefused to also retry for "connection refused" errors. 947 948 Suggestions have been brought to also allow retry on "network is unreachable" 949 errors and while totally reasonable, maybe we should consider a way to make 950 this more configurable than to add a new option for every new error people 951 want to retry for? 952 953 https://github.com/curl/curl/issues/1603 954 95518.19 expand ~/ in config files 956 957 For example .curlrc could benefit from being able to do this. 958 959 See https://github.com/curl/curl/issues/2317 960 96118.20 host name sections in config files 962 963 config files would be more powerful if they could set different 964 configurations depending on used URLs, host name or possibly origin. Then a 965 default .curlrc could a specific user-agent only when doing requests against 966 a certain site. 967 968 96919. Build 970 97119.1 roffit 972 973 Consider extending 'roffit' to produce decent ASCII output, and use that 974 instead of (g)nroff when building src/tool_hugehelp.c 975 97619.2 Enable PIE and RELRO by default 977 978 Especially when having programs that execute curl via the command line, PIE 979 renders the exploitation of memory corruption vulnerabilities a lot more 980 difficult. This can be attributed to the additional information leaks being 981 required to conduct a successful attack. RELRO, on the other hand, masks 982 different binary sections like the GOT as read-only and thus kills a handful 983 of techniques that come in handy when attackers are able to arbitrarily 984 overwrite memory. A few tests showed that enabling these features had close 985 to no impact, neither on the performance nor on the general functionality of 986 curl. 987 98819.3 cmake test suite improvements 989 990 The cmake build doesn't support 'make show' so it doesn't know which tests 991 are in the makefile or not (making appveyor builds do many false warnings 992 about it) nor does it support running the test suite if building out-of-tree. 993 994 See https://github.com/curl/curl/issues/3109 995 99620. Test suite 997 99820.1 SSL tunnel 999 1000 Make our own version of stunnel for simple port forwarding to enable HTTPS 1001 and FTP-SSL tests without the stunnel dependency, and it could allow us to 1002 provide test tools built with either OpenSSL or GnuTLS 1003 100420.2 nicer lacking perl message 1005 1006 If perl wasn't found by the configure script, don't attempt to run the tests 1007 but explain something nice why it doesn't. 1008 100920.3 more protocols supported 1010 1011 Extend the test suite to include more protocols. The telnet could just do FTP 1012 or http operations (for which we have test servers). 1013 101420.4 more platforms supported 1015 1016 Make the test suite work on more platforms. OpenBSD and Mac OS. Remove 1017 fork()s and it should become even more portable. 1018 101920.5 Add support for concurrent connections 1020 1021 Tests 836, 882 and 938 were designed to verify that separate connections 1022 aren't used when using different login credentials in protocols that 1023 shouldn't re-use a connection under such circumstances. 1024 1025 Unfortunately, ftpserver.pl doesn't appear to support multiple concurrent 1026 connections. The read while() loop seems to loop until it receives a 1027 disconnect from the client, where it then enters the waiting for connections 1028 loop. When the client opens a second connection to the server, the first 1029 connection hasn't been dropped (unless it has been forced - which we 1030 shouldn't do in these tests) and thus the wait for connections loop is never 1031 entered to receive the second connection. 1032 103320.6 Use the RFC6265 test suite 1034 1035 A test suite made for HTTP cookies (RFC 6265) by Adam Barth is available at 1036 https://github.com/abarth/http-state/tree/master/tests 1037 1038 It'd be really awesome if someone would write a script/setup that would run 1039 curl with that test suite and detect deviances. Ideally, that would even be 1040 incorporated into our regular test suite. 1041 104220.7 Support LD_PRELOAD on macOS 1043 1044 LD_RELOAD doesn't work on macOS, but there are tests which require it to run 1045 properly. Look into making the preload support in runtests.pl portable such 1046 that it uses DYLD_INSERT_LIBRARIES on macOS. 1047 104821. Next SONAME bump 1049 105021.1 http-style HEAD output for FTP 1051 1052 #undef CURL_FTP_HTTPSTYLE_HEAD in lib/ftp.c to remove the HTTP-style headers 1053 from being output in NOBODY requests over FTP 1054 105521.2 combine error codes 1056 1057 Combine some of the error codes to remove duplicates. The original 1058 numbering should not be changed, and the old identifiers would be 1059 macroed to the new ones in an CURL_NO_OLDIES section to help with 1060 backward compatibility. 1061 1062 Candidates for removal and their replacements: 1063 1064 CURLE_FILE_COULDNT_READ_FILE => CURLE_REMOTE_FILE_NOT_FOUND 1065 1066 CURLE_FTP_COULDNT_RETR_FILE => CURLE_REMOTE_FILE_NOT_FOUND 1067 1068 CURLE_FTP_COULDNT_USE_REST => CURLE_RANGE_ERROR 1069 1070 CURLE_FUNCTION_NOT_FOUND => CURLE_FAILED_INIT 1071 1072 CURLE_LDAP_INVALID_URL => CURLE_URL_MALFORMAT 1073 1074 CURLE_TFTP_NOSUCHUSER => CURLE_TFTP_ILLEGAL 1075 1076 CURLE_TFTP_NOTFOUND => CURLE_REMOTE_FILE_NOT_FOUND 1077 1078 CURLE_TFTP_PERM => CURLE_REMOTE_ACCESS_DENIED 1079 108021.3 extend CURLOPT_SOCKOPTFUNCTION prototype 1081 1082 The current prototype only provides 'purpose' that tells what the 1083 connection/socket is for, but not any protocol or similar. It makes it hard 1084 for applications to differentiate on TCP vs UDP and even HTTP vs FTP and 1085 similar. 1086 108722. Next major release 1088 108922.1 cleanup return codes 1090 1091 curl_easy_cleanup() returns void, but curl_multi_cleanup() returns a 1092 CURLMcode. These should be changed to be the same. 1093 109422.2 remove obsolete defines 1095 1096 remove obsolete defines from curl/curl.h 1097 109822.3 size_t 1099 1100 make several functions use size_t instead of int in their APIs 1101 110222.4 remove several functions 1103 1104 remove the following functions from the public API: 1105 1106 curl_getenv 1107 1108 curl_mprintf (and variations) 1109 1110 curl_strequal 1111 1112 curl_strnequal 1113 1114 They will instead become curlx_ - alternatives. That makes the curl app 1115 still capable of using them, by building with them from source. 1116 1117 These functions have no purpose anymore: 1118 1119 curl_multi_socket 1120 1121 curl_multi_socket_all 1122 112322.5 remove CURLOPT_FAILONERROR 1124 1125 Remove support for CURLOPT_FAILONERROR, it has gotten too kludgy and weird 1126 internally. Let the app judge success or not for itself. 1127 112822.7 remove progress meter from libcurl 1129 1130 The internally provided progress meter output doesn't belong in the library. 1131 Basically no application wants it (apart from curl) but instead applications 1132 can and should do their own progress meters using the progress callback. 1133 1134 The progress callback should then be bumped as well to get proper 64bit 1135 variable types passed to it instead of doubles so that big files work 1136 correctly. 1137 113822.8 remove 'curl_httppost' from public 1139 1140 curl_formadd() was made to fill in a public struct, but the fact that the 1141 struct is public is never really used by application for their own advantage 1142 but instead often restricts how the form functions can or can't be modified. 1143 1144 Changing them to return a private handle will benefit the implementation and 1145 allow us much greater freedoms while still maintaining a solid API and ABI. 1146