The subject was brought up for discussion on the mailing list: https://curl.se/mail/lib-2022-09/0149.html - no actual changes for this have been made.
This remains an outstanding TODO. MQTT is a little used protocol in curl and this (MQTT over TLS) has not appeared much as a wanted feature.
curl now outputs a warning, and a warning was added to the man page for the option: curl/curl#9519
The curl team has not accepted that this would add much value. Contributors mostly don’t read such documents before contributing. Banned functions should be rejected by tools. Use of non-banned functions should be verified by human code reviews, tests and static code analyzers.
curl considers localhost to be “secure” in some contexts. This is done on purpose to match how other popular cookie using HTTP clients/browsers work. Documentation update: curl/curl#9938
It does not “skip” name resolution checks because it is “secure”, it hardcodes localhost as local addresses in order to make sure it is actually secure, i.e. done on the local host via loopback only.
The curl team cannot fully accept the recommendations here. We consider it our expertise to work out how to deal with protocols and the parsing of their components. This, combined with history, legacy and our strong commitment to keep existing behaviors has led to the decisions and existing code we use. We should always be as strict as possible and we should test all parsers thoroughly, including with fuzzers.
The issue mentioned with TAB was not a parsing problem, but a file storage problem, as TABs are allowed in cookies. Expanded in this blog post: https://daniel.haxx.se/blog/2022/10/14/there-is-a-tab-in-my-cookie/
We document all features we support in depth,with details and with examples. We do not and cannot document “RFC compliance”, and neither does any competitor, similar tools or other network libraries or browsers. Because it simply is not possible. The amount of RFCs is too large, the number of conflicting documents are numerous and interoperability across the Internet trumps all of that.
Expanded more in this blog post: https://daniel.haxx.se/blog/2022/10/18/deviating-from-specs/
Fixed in curl/curl#9654
Fixed in curl/curl#9608 (and later amended somewhat more)
Fixed in curl/curl#9607 (and later amended somewhat more)
Fixed in curl/curl#9658
Fixed in curl/curl#9659
Fixed in curl/curl#9663 (with a follow-up fix in curl/curl#9708)
Filed as a CVE: https://curl.se/docs/CVE-2022-42915.html
This is by design. We incorporated a change that makes it mandatory for the documentation to mention how curl deals with multi-use of options: Fixed in curl/curl#9759
This is by design and we do not see a way to change this behavior without breaking behavior for existing users. This is also not the typical way users use cookies with curl so those who do provide cookies like this usually do it in special crafted ways. This behavior is also documented in the man page for the --cookie option.
Fixed in curl/curl#9729
Fixed in curl/curl#9749 (and later amended somewhat more)
This topic was brought to the mailing list https://curl.se/mail/lib-2022-10/0039.html but no real desire in changing the default behavior was picked up, rather the opposite. This is a function that is rarely used, so presumably users that do not want this way of working will and should not enable it.
Redirect to localhost and local network is possible (Server-side request forgery like) (TOB-CURL-13)
This is working as intended and I do not see how adding a warning here will help anyone or anything. The option asks curl to follow a redirect and there is nothing that says or indicates that it would not follow a redirect to certain hosts or host names. Of course it will also follow redirects to “local” host names, for any definition of local.
The built-in redirect-following is not meant to be the way that covers all possible ways to do redirects for all users in all situations. If users need more control and more say in how redirects are done, curl and libcurl provide the means to let users follow them themselves. curl does not follow any redirects by default.
Fixed in curl/curl#9763