5 \___|\___/|_| \_\_____|
9 These are problems and bugs known to exist at the time of this release. Feel
10 free to join in and help us correct one or more of these! Also be sure to
11 check the changelog of the current development status, as one or more of these
12 problems may have been fixed or changed somewhat since this was written!
15 1.1 CURLFORM_CONTENTLEN in an array
16 1.2 Disabling HTTP Pipelining
17 1.3 STARTTRANSFER time is wrong for HTTP POSTs
18 1.4 multipart formposts file name encoding
19 1.5 Expect-100 meets 417
20 1.6 Unnecessary close when 401 received waiting for 100
21 1.7 CONNECT response larger than 16KB
22 1.8 DNS timing is wrong for HTTP redirects
23 1.9 HTTP/2 frames while in the connection pool kill reuse
24 1.10 Strips trailing dot from host name
27 2.1 Hangs with PolarSSL
28 2.2 CURLINFO_SSL_VERIFYRESULT has limited support
30 2.4 GnuTLS backend skips really long certificate fields
33 3.1 IMAP SEARCH ALL truncated response
34 3.2 No disconnect command
35 3.3 SMTP to multiple recipients
38 4.1 -J with %-encoded file nameas
39 4.2 -J with -C - fails
40 4.3 --retry and transfer timeouts
42 5. Build and portability issues
43 5.1 Windows Borland compiler
44 5.2 curl-config --libs contains private details
45 5.3 libidn and old iconv
46 5.4 AIX shared build with c-ares fails
47 5.5 can't handle Unicode arguments in Windows
50 6.1 NTLM authentication and unicode
51 6.2 MIT Kerberos for Windows build
52 6.3 NTLM in system context uses wrong name
53 6.4 Negotiate needs a fake user name
56 7.1 FTP without or slow 220 response
57 7.2 FTP with CONNECT and slow server
58 7.3 FTP with NOBODY and FAILONERROR
61 7.6 FTP with NULs in URL parts
62 7.7 FTP and empty path parts in the URL
65 8.1 TELNET and time limtiations don't work
66 8.2 Microsoft telnet server
69 9.1 SFTP doesn't do CURLOPT_POSTQUOTE correct
72 10.1 SOCKS proxy connections are done blocking
73 10.2 SOCKS don't support timeouts
75 10.4 active FTP over a SOCKS
78 11.1 Curl leaks .onion hostnames in DNS
79 11.2 error buffer not set if connection to multiple addresses fails
82 12.1 OpenLDAP hangs after returning results
85 13.1 --interface for ipv6 binds to unusable IP address
88 ==============================================================================
92 1.1 CURLFORM_CONTENTLEN in an array
94 It is not possible to pass a 64-bit value using CURLFORM_CONTENTLEN with
95 CURLFORM_ARRAY, when compiled on 32-bit platforms that support 64-bit
96 integers. This is because the underlying structure 'curl_forms' uses a dual
97 purpose char* for storing these values in via casting. For more information
98 see the now closed related issue:
99 https://github.com/curl/curl/issues/608
101 1.2 Disabling HTTP Pipelining
103 Disabling HTTP Pipelining when there are ongoing transfers can lead to
104 heap corruption and crash. https://curl.haxx.se/bug/view.cgi?id=1411
106 1.3 STARTTRANSFER time is wrong for HTTP POSTs
108 Wrong STARTTRANSFER timer accounting for POST requests Timer works fine with
109 GET requests, but while using POST the time for CURLINFO_STARTTRANSFER_TIME
110 is wrong. While using POST CURLINFO_STARTTRANSFER_TIME minus
111 CURLINFO_PRETRANSFER_TIME is near to zero every time.
113 https://github.com/curl/curl/issues/218
114 https://curl.haxx.se/bug/view.cgi?id=1213
116 1.4 multipart formposts file name encoding
118 When creating multipart formposts. The file name part can be encoded with
119 something beyond ascii but currently libcurl will only pass in the verbatim
120 string the app provides. There are several browsers that already do this
121 encoding. The key seems to be the updated draft to RFC2231:
122 https://tools.ietf.org/html/draft-reschke-rfc2231-in-http-02
124 1.5 Expect-100 meets 417
126 If an upload using Expect: 100-continue receives an HTTP 417 response, it
127 ought to be automatically resent without the Expect:. A workaround is for
128 the client application to redo the transfer after disabling Expect:.
129 https://curl.haxx.se/mail/archive-2008-02/0043.html
131 1.6 Unnecessary close when 401 received waiting for 100
133 libcurl closes the connection if an HTTP 401 reply is received while it is
134 waiting for the the 100-continue response.
135 https://curl.haxx.se/mail/lib-2008-08/0462.html
137 1.7 CONNECT response larger than 16KB
139 If a CONNECT response-headers are larger than BUFSIZE (16KB) when the
140 connection is meant to be kept alive (like for NTLM proxy auth), the function
141 will return prematurely and will confuse the rest of the HTTP protocol
142 code. This should be very rare.
144 1.8 DNS timing is wrong for HTTP redirects
146 When extracting timing information after HTTP redirects, only the last
147 transfer's results are returned and not the totals:
148 https://github.com/curl/curl/issues/522
150 1.9 HTTP/2 frames while in the connection pool kill reuse
152 If the server sends HTTP/2 frames (like for example an HTTP/2 PING frame) to
153 curl while the connection is held in curl's connection pool, the socket will
154 be found readable when considered for reuse and that makes curl think it is
155 dead and then it will be closed and a new connection gets created instead.
157 This is *best* fixed by adding monitoring to connections while they are kept
158 in the pool so that pings can be responded to appropriately.
160 1.10 Strips trailing dot from host name
162 When given a URL wit a trailing dot for the host name part:
163 "https://example.com./", libcurl will strip off the dot and use the name
164 without a dot internally and send it dot-less in HTTP Host: headers and in
167 The HTTP part violates RFC 7230 section 5.4 but the SNI part is accordance
168 with RFC 6066 section 3.
170 URLs using these trailing dots are very rare in the wild and we have not seen
171 or gotten any real-world problems with such URLs reported. The popular
172 browsers seem to have stayed with not stripping the dot for both uses (thus
173 they violate RFC 6066 instead of RFC 7230).
175 Daniel took the discussion to the HTTPbis mailing list in March 2016:
176 https://lists.w3.org/Archives/Public/ietf-http-wg/2016JanMar/0430.html but
177 there was not major rush or interest to fix this. The impression I get is
178 that most HTTP people rather not rock the boat now and instead prioritize web
179 compatibility rather than to strictly adhere to these RFCs.
181 Our current approach allows a knowing client to send a custom HTTP header
184 It can also be noted that while adding a trailing dot to the host name in
185 most (all?) cases will make the name resolve to the same set of IP addresses,
186 many HTTP servers will not happily accept the trailing dot there unless that
187 has been specificly configured to be a fine virtual host.
189 If URLs with trailing dots for host names become more popular or even just
190 used more than for just plain fun experiments, I'm sure we will have reason
191 to go back and reconsider.
193 See https://github.com/curl/curl/issues/716 for the discussion.
198 2.1 Hangs with PolarSSL
200 "curl_easy_perform hangs with imap and PolarSSL"
201 https://github.com/curl/curl/issues/334
203 Most likely, a fix similar to commit c111178bd4 (for mbedTLS) is
204 necessary. Or if we just wait a little longer we'll rip out all support for
207 2.2 CURLINFO_SSL_VERIFYRESULT has limited support
209 CURLINFO_SSL_VERIFYRESULT is only implemented for the OpenSSL and NSS
210 backends, so relying on this information in a generic app is flaky.
214 Curl doesn't recognize certificates in DER format in keychain, but it works
215 with PEM. https://curl.haxx.se/bug/view.cgi?id=1065
217 2.4 GnuTLS backend skips really long certificate fields
219 libcurl calls gnutls_x509_crt_get_dn() with a fixed buffer size and if the
220 field is too long in the cert, it'll just return an error and the field will
226 3.1 IMAP SEARCH ALL truncated response
228 IMAP "SEARCH ALL" truncates output on large boxes. "A quick search of the
229 code reveals that pingpong.c contains some truncation code, at line 408, when
230 it deems the server response to be too large truncating it to 40 characters"
231 https://curl.haxx.se/bug/view.cgi?id=1366
233 3.2 No disconnect command
235 The disconnect commands (LOGOUT and QUIT) may not be sent by IMAP, POP3 and
236 SMTP if a failure occurs during the authentication phase of a connection.
238 3.3 SMTP to multiple recipients
240 When sending data to multiple recipients, curl will abort and return failure
241 if one of the recipients indicate failure (on the "RCPT TO"
242 command). Ordinary mail programs would proceed and still send to the ones
243 that can receive data. This is subject for change in the future.
244 https://curl.haxx.se/bug/view.cgi?id=1116
249 4.1 -J with %-encoded file nameas
251 -J/--remote-header-name doesn't decode %-encoded file names. RFC6266 details
252 how it should be done. The can of worm is basically that we have no charset
253 handling in curl and ascii >=128 is a challenge for us. Not to mention that
254 decoding also means that we need to check for nastiness that is attempted,
255 like "../" sequences and the like. Probably everything to the left of any
256 embedded slashes should be cut off.
257 https://curl.haxx.se/bug/view.cgi?id=1294
259 4.2 -J with -C - fails
261 When using -J (with -O), automatically resumed downloading together with "-C
262 -" fails. Without -J the same command line works! This happens because the
263 resume logic is worked out before the target file name (and thus its
264 pre-transfer size) has been figured out!
265 https://curl.haxx.se/bug/view.cgi?id=1169
267 4.3 --retry and transfer timeouts
269 If using --retry and the transfer timeouts (possibly due to using -m or
270 -y/-Y) the next attempt doesn't resume the transfer properly from what was
271 downloaded in the previous attempt but will truncate and restart at the
272 original position where it was at before the previous failed attempt. See
273 https://curl.haxx.se/mail/lib-2008-01/0080.html and Mandriva bug report
274 https://qa.mandriva.com/show_bug.cgi?id=22565
277 5. Build and portability issues
279 5.1 Windows Borland compiler
281 When building with the Windows Borland compiler, it fails because the "tlib"
282 tool doesn't support hyphens (minus signs) in file names and we have such in
283 the build. https://curl.haxx.se/bug/view.cgi?id=1222
285 5.2 curl-config --libs contains private details
287 "curl-config --libs" will include details set in LDFLAGS when configure is
288 run that might be needed only for building libcurl. Further, curl-config
289 --cflags suffers from the same effects with CFLAGS/CPPFLAGS.
291 5.3 libidn and old iconv
293 Test case 165 might fail on a system which has libidn present, but with an
294 old iconv version (2.1.3 is a known bad version), since it doesn't recognize
295 the charset when named ISO8859-1. Changing the name to ISO-8859-1 makes the
296 test pass, but instead makes it fail on Solaris hosts that use its native
299 5.4 AIX shared build with c-ares fails
301 curl version 7.12.2 fails on AIX if compiled with --enable-ares. The
302 workaround is to combine --enable-ares with --disable-shared
304 5.5 can't handle Unicode arguments in Windows
306 If a URL or filename can't be encoded using the user's current codepage then
307 it can only be encoded properly in the Unicode character set. Windows uses
308 UTF-16 encoding for Unicode and stores it in wide characters, however curl
309 and libcurl are not equipped for that at the moment. And, except for Cygwin,
310 Windows can't use UTF-8 as a locale.
312 https://curl.haxx.se/bug/?i=345
313 https://curl.haxx.se/bug/?i=731
318 6.1 NTLM authentication and unicode
320 NTLM authentication involving unicode user name or password only works
321 properly if built with UNICODE defined together with the WinSSL/schannel
322 backend. The original problem was mentioned in:
323 https://curl.haxx.se/mail/lib-2009-10/0024.html
324 https://curl.haxx.se/bug/view.cgi?id=896
326 The WinSSL/schannel version verified to work as mentioned in
327 https://curl.haxx.se/mail/lib-2012-07/0073.html
329 6.2 MIT Kerberos for Windows build
331 libcurl fails to build with MIT Kerberos for Windows (KfW) due to KfW's
332 library header files exporting symbols/macros that should be kept private to
333 the KfW library. See ticket #5601 at http://krbdev.mit.edu/rt/
335 6.3 NTLM in system context uses wrong name
337 NTLM authentication using SSPI (on Windows) when (lib)curl is running in
338 "system context" will make it use wrong(?) user name - at least when compared
339 to what winhttp does. See https://curl.haxx.se/bug/view.cgi?id=535
341 6.4 Negotiate needs a fake user name
343 To get HTTP Negotiate (SPNEGO) authentication to work fine, you need to
344 provide a (fake) user name (this concerns both curl and the lib) because the
345 code wrongly only considers authentication if there's a user name provided.
346 https://curl.haxx.se/bug/view.cgi?id=440 How?
347 https://curl.haxx.se/mail/lib-2004-08/0182.html
352 7.1 FTP without or slow 220 response
354 If a connection is made to a FTP server but the server then just never sends
355 the 220 response or otherwise is dead slow, libcurl will not acknowledge the
356 connection timeout during that phase but only the "real" timeout - which may
357 surprise users as it is probably considered to be the connect phase to most
358 people. Brought up (and is being misunderstood) in:
359 https://curl.haxx.se/bug/view.cgi?id=856
361 7.2 FTP with CONNECT and slow server
363 When doing FTP over a socks proxy or CONNECT through HTTP proxy and the multi
364 interface is used, libcurl will fail if the (passive) TCP connection for the
365 data transfer isn't more or less instant as the code does not properly wait
366 for the connect to be confirmed. See test case 564 for a first shot at a test
369 7.3 FTP with NOBODY and FAILONERROR
371 It seems sensible to be able to use CURLOPT_NOBODY and CURLOPT_FAILONERROR
372 with FTP to detect if a file exists or not, but it is not working:
373 https://curl.haxx.se/mail/lib-2008-07/0295.html
377 When doing an operation over FTP that requires the ACCT command (but not when
378 logging in), the operation will fail since libcurl doesn't detect this and
379 thus fails to issue the correct command:
380 https://curl.haxx.se/bug/view.cgi?id=635
384 FTP ASCII transfers do not follow RFC959. They don't convert the data
385 accordingly (not for sending nor for receiving). RFC 959 section 3.1.1.1
386 clearly describes how this should be done:
388 The sender converts the data from an internal character representation to
389 the standard 8-bit NVT-ASCII representation (see the Telnet
390 specification). The receiver will convert the data from the standard
391 form to his own internal form.
393 Since 7.15.4 at least line endings are converted.
395 7.6 FTP with NULs in URL parts
397 FTP URLs passed to curl may contain NUL (0x00) in the RFC 1738 <user>,
398 <password>, and <fpath> components, encoded as "%00". The problem is that
399 curl_unescape does not detect this, but instead returns a shortened C string.
400 From a strict FTP protocol standpoint, NUL is a valid character within RFC
401 959 <string>, so the way to handle this correctly in curl would be to use a
402 data structure other than a plain C string, one that can handle embedded NUL
403 characters. From a practical standpoint, most FTP servers would not
404 meaningfully support NUL characters within RFC 959 <string>, anyway (e.g.,
405 Unix pathnames may not contain NUL).
407 7.7 FTP and empty path parts in the URL
409 libcurl ignores empty path parts in FTP URLs, whereas RFC1738 states that
410 such parts should be sent to the server as 'CWD ' (without an argument). The
411 only exception to this rule, is that we knowingly break this if the empty
412 part is first in the path, as then we use the double slashes to indicate that
413 the user wants to reach the root dir (this exception SHALL remain even when
419 8.1 TELNET and time limtiations don't work
421 When using telnet, the time limitation options don't work.
422 https://curl.haxx.se/bug/view.cgi?id=846
424 8.2 Microsoft telnet server
426 There seems to be a problem when connecting to the Microsoft telnet server.
427 https://curl.haxx.se/bug/view.cgi?id=649
432 9.1 SFTP doesn't do CURLOPT_POSTQUOTE correct
434 When libcurl sends CURLOPT_POSTQUOTE commands when connected to a SFTP server
435 using the multi interface, the commands are not being sent correctly and
436 instead the connection is "cancelled" (the operation is considered done)
437 prematurely. There is a half-baked (busy-looping) patch provided in the bug
438 report but it cannot be accepted as-is. See
439 https://curl.haxx.se/bug/view.cgi?id=748
444 10.1 SOCKS proxy connections are done blocking
446 Both SOCKS5 and SOCKS4 proxy connections are done blocking, which is very bad
447 when used with the multi interface.
449 10.2 SOCKS don't support timeouts
451 The SOCKS4 connection codes don't properly acknowledge (connect) timeouts.
452 According to bug #1556528, even the SOCKS5 connect code does not do it right:
453 https://curl.haxx.se/bug/view.cgi?id=604
455 When connecting to a SOCK proxy, the (connect) timeout is not properly
456 acknowledged after the actual TCP connect (during the SOCKS "negotiate"
461 libcurl doesn't support FTPS over a SOCKS proxy.
463 10.4 active FTP over a SOCKS
465 libcurl doesn't support active FTP over a SOCKS proxy
470 11.1 Curl leaks .onion hostnames in DNS
472 Curl sends DNS requests for hostnames with a .onion TLD. This leaks
473 information about what the user is attempting to access, and violates this
474 requirement of RFC7686: https://tools.ietf.org/html/rfc7686
476 Issue: https://github.com/curl/curl/issues/543
478 11.2 error buffer not set if connection to multiple addresses fails
480 If you ask libcurl to resolve a hostname like example.com to IPv6 addresses
481 only. But you only have IPv4 connectivity. libcurl will correctly fail with
482 CURLE_COULDNT_CONNECT. But the error buffer set by CURLOPT_ERRORBUFFER
483 remains empty. Issue: https://github.com/curl/curl/issues/544
486 12. LDAP and OpenLDAP
488 12.1 OpenLDAP hangs after returning results
490 By configuration defaults, openldap automatically chase referrals on
491 secondary socket descriptors. The OpenLDAP backend is asynchronous and thus
492 should monitor all socket descriptors involved. Currently, these secondary
493 descriptors are not monitored, causing openldap library to never receive
496 As a temporary workaround, disable referrals chasing by configuration.
498 The fix is not easy: proper automatic referrals chasing requires a
499 synchronous bind callback and monitoring an arbitrary number of socket
500 descriptors for a single easy handle (currently limited to 5).
502 Generic LDAP is synchronous: OK.
504 See https://github.com/curl/curl/issues/622 and
505 https://curl.haxx.se/mail/lib-2016-01/0101.html
510 13.1 --interface for ipv6 binds to unusable IP address
512 Since IPv6 provides a lot of addresses with different scope, binding to an
513 IPv6 address needs to take the proper care so that it doesn't bind to a
514 locally scoped address as that is bound to fail.
516 https://github.com/curl/curl/issues/686