Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mask password passed in as command line arg like mysql #3680

Closed
ericcurtin opened this issue Mar 13, 2019 · 8 comments
Closed

Mask password passed in as command line arg like mysql #3680

ericcurtin opened this issue Mar 13, 2019 · 8 comments

Comments

@ericcurtin
Copy link
Contributor

I did this

curl -x https://user:password@your-proxy-ip-addess:12/ http://www.google.com

ps -ef | grep curl
curtine 7859 3321 0 17:32 pts/1 00:00:00 curl -x https://user:password@your-proxy-ip-addess:12/ http://www.google.com

I expected the following

Masked password for proxy password. Like mysql does https://unix.stackexchange.com/questions/78757/securely-feeding-a-program-with-a-password

curl/libcurl version

curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.0g zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

operating system

ubuntu 18.04

@bagder
Copy link
Member

bagder commented Mar 13, 2019

If you provide the name and password with the dedicated -U or --proxy-user flag then curl will (attempt to) hide it.

@bagder
Copy link
Member

bagder commented Mar 14, 2019

I don't think we should clear the entire proxy string just because someone might pass their credentials there. We could consider scrubbing out them from the string, but since we have a working way to do this I don't think we have to.

@ericcurtin
Copy link
Contributor Author

Yes -U masks just fine. Good to know. Might be worth adding to man page.

@ericcurtin
Copy link
Contributor Author

I opened a PR but you were too fast for me @bagder #3684

I can close mine.

@ericcurtin
Copy link
Contributor Author

Thanks 😃

bagder added a commit that referenced this issue Mar 14, 2019
Suggested-by: Eric Curtin
Improved-by: Dan Fandrich
Ref: #3680
@bagder
Copy link
Member

bagder commented Mar 14, 2019

Hehe, I was a whole minute faster! 😆

bagder added a commit that referenced this issue Mar 14, 2019
Suggested-by: Eric Curtin
Improved-by: Dan Fandrich
Ref: #3680

Closes #3683
@bagder
Copy link
Member

bagder commented Mar 14, 2019

@ericcurtin are you ok with us closing this issue now?

@ericcurtin
Copy link
Contributor Author

👍

@lock lock bot locked as resolved and limited conversation to collaborators Jun 12, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Development

No branches or pull requests

2 participants