curl / Mailing Lists / curl-library / Single Mail


Re: Questions regarding storing passwords in plaintext and security

From: Daniel Stenberg <>
Date: Sat, 13 Jan 2018 22:33:27 +0100 (CET)

On Thu, 11 Jan 2018, Michael Ambrus wrote:

> I am in the process of working through a security audit of software that is
> statically linked with libcurl. The security audit is being done using
> Veracode's static analysis engine ( Veracode is flagging
> code in libcurl where the connection password (conn->passwd) and proxy
> password (proxyinfo->passwd) are set with the warning that they are stored
> in plain text.

Stored, as stored in memory, yes. libcurl needs them in plain text to be able
to use them in the authentication mechanisms that it supports.

> * Is this something likely to be resolved/addressed by the maintainers of
> this project?

I've seen the concern raised before but we haven't done any real
counter-measures internally.

It would of course reduce the impact of memory disclosures and similar flaws
if the passwords and usernames were kept encrypted somehow during the times it
isn't absolutely necessary to have them around. I've just never felt that
feature to be important enough for me or anyone else to actually have a go at

Received on 2018-01-13