curl / Mailing Lists / curl-library / Single Mail


Questions regarding storing passwords in plaintext and security

From: Michael Ambrus <>
Date: Thu, 11 Jan 2018 10:26:41 -0500

I am in the process of working through a security audit of software that is
statically linked with libcurl. The security audit is being done using
Veracode's static analysis engine ( Veracode is flagging
code in libcurl where the connection password (conn->passwd) and proxy
password (proxyinfo->passwd) are set with the warning that they are stored
in plain text. The security concern with this is described by CWE ID 316
( ).
My questions regarding these findings are:
* Has anyone done something similar? If so, how did you resolve the
situation to pass the security audit?
* Is this something likely to be resolved/addressed by the maintainers of
this project?

Thank you.


Received on 2018-01-12