cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: [martin@godisch.de: Bug#178473: curl: local user information leak]

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Tue, 28 Jan 2003 16:43:44 +0100 (CET)

On Mon, 27 Jan 2003, Domenico Andreoli wrote:

> Passwords given to option -U are visible in the ps tree:

I honestly fail to see how this is a *bug*. curl never attempted to hide it,
and I still believe people who blindly assume it does should be dragged out
in the woods and shot.

That said, I intend to apply Jamie Wilkinson's patch that'll remove the
(sensitive) command line arguments from ps output on platforms that support
that kind of weird behavior. (As soon as some extra-time leaps out from the
sky and lands on my table.)

Still, this must remain treated as an extra precaution and we should
encourage people who cares about security to NOT pass sensitive information
in command line options. It has been mentioned in the curl FAQ for years.

-- 
 Daniel Stenberg -- curl, cURL, Curl, CURL. Groks URLs.
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

Received on 2003-01-28

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: trace in curl"
Previous message: Ralph Mitchell: "Re: curl oddity on cygwin"
In reply to: Domenico Andreoli: "[martin@godisch.de: Bug#178473: curl: local user information leak]"
Next in thread: Domenico Andreoli: "Re: [martin@godisch.de: Bug#178473: curl: local user information leak]"
Reply: Domenico Andreoli: "Re: [martin@godisch.de: Bug#178473: curl: local user information leak]"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]