curl / Mailing Lists / curl-library / Single Mail

curl-library

Questions regarding storing passwords in plaintext and security

From: Michael Ambrus <mambrus_at_idmcomp.com>
Date: Thu, 11 Jan 2018 10:26:41 -0500

I am in the process of working through a security audit of software that is
statically linked with libcurl. The security audit is being done using
Veracode's static analysis engine (www.veracode.com). Veracode is flagging
code in libcurl where the connection password (conn->passwd) and proxy
password (proxyinfo->passwd) are set with the warning that they are stored
in plain text. The security concern with this is described by CWE ID 316
(https://cwe.mitre.org/data/definitions/316.html ).
My questions regarding these findings are:
* Has anyone done something similar? If so, how did you resolve the
situation to pass the security audit?
* Is this something likely to be resolved/addressed by the maintainers of
this project?

Thank you.
Michael

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-01-12

This message: [ Message body ]
Next message: Martin Galvan via curl-library: "Re: Configuring with both --with-ca-path and --with-ca-bundle"
Previous message: Ray Satiro via curl-library: "Re: Configuring with both --with-ca-path and --with-ca-bundle"
Next in thread: Daniel Stenberg: "Re: Questions regarding storing passwords in plaintext and security"
Reply: Daniel Stenberg: "Re: Questions regarding storing passwords in plaintext and security"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]