curl.1 document -J doesn't %-decode

...also added as KNOWN_BUG #87 with reference to bug #1294

docs/KNOWN_BUGS

@@ -3,6 +3,14 @@ join in and help us correct one or more of these! Also be sure to check the
 changelog of the current development status, as one or more of these problems
 may have been fixed since this was written!
 
+87. -J/--remote-header-name doesn't decode %-encoded file names. RFC6266
+  details how it should be done. The can of worm is basically that we have no
+  charset handling in curl and ascii >=128 is a challenge for us. Not to
+  mention that decoding also means that we need to check for nastyness that is
+  attempted, like "../" sequences and the like. Probably everything to the left
+  of any embedded slashes should be cut off.
+  http://curl.haxx.se/bug/view.cgi?id=1294
+
 86. The disconnect commands (LOGOUT and QUIT) may not be sent by IMAP, POP3
   and SMTP if a failure occures during the authentication phase of a
   connection.

docs/curl.1

@@ -711,6 +711,9 @@ cookies when they're closed down.
 (HTTP) This option tells the \fI-O, --remote-name\fP option to use the
 server-specified Content-Disposition filename instead of extracting a filename
 from the URL.
+
+There's no attempt to decode %-sequences (yet) in the provided file name, so
+this option may provide you with rather unexpected file names.
 .IP "-k, --insecure"
 (SSL) This option explicitly allows curl to perform "insecure" SSL connections
 and transfers. All SSL connections are attempted to be made secure by using