From: Daniel Stenberg Date: Fri, 16 Feb 2018 08:39:20 +0000 (+0100) Subject: TODO: 1.1 Option to refuse usernames in URLs X-Git-Tag: curl-7_59_0~66 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f549b2cefea239dae06a4afb0cac1319a3e600b4;p=curl TODO: 1.1 Option to refuse usernames in URLs Also expanded the CURL_REFUSE_CLEARTEXT section with more ideas. --- diff --git a/docs/TODO b/docs/TODO index d9d7f3e3b..f7b5101d3 100644 --- a/docs/TODO +++ b/docs/TODO @@ -17,6 +17,7 @@ All bugs documented in the KNOWN_BUGS document are subject for fixing! 1. libcurl + 1.1 Option to refuse usernames in URLs 1.2 More data sharing 1.3 struct lifreq 1.4 signal-based resolver timeouts @@ -186,6 +187,16 @@ 1. libcurl +1.1 Option to refuse usernames in URLs + + There's a certain risk for application in allowing user names in URLs. For + example: if the wrong person gets to set the URL and manages to set a user + name in there when .netrc is used, the application may send along a password + that otherwise the person couldn't provide. + + A new libcurl option could be added to allow applications to switch off this + feature and thus avoid a potential risk. + 1.2 More data sharing curl_share_* functions already exist and work, and they can be extended to @@ -403,6 +414,12 @@ variable can then help users to block all libcurl-using programs from accessing the network using unsafe protocols. + The variable could be given some sort of syntax or different levels and be + used to also allow for example users to refuse libcurl to do transfers with + HTTPS certificate checks disabled. + + It could also offer to refuse usernames in URLs (see TODO 1.1) + 1.27 hardcode the "localhost" addresses There's this new spec getting adopted that says "localhost" should always and