curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: How to stop bearer tokens leaking

From: Stephen Booth via curl-library <curl-library_at_lists.haxx.se>
Date: Sat, 6 Nov 2021 17:27:32 +0000

On 06/11/2021 01:03, Patrick Monnerat via curl-library wrote:
> Your version is more than 8 years old ! :-( You better upgrade, as a lot
> of other more serious security problems have been fixed since then.

Due to the lag in getting updates into the OS distro all it takes is a
system built 4 years ago. Centos 7 still tops out at 7.29 even when
fully updated.
Not worried about *that* box it was just the one to hand but even quite
new systems have default versions that don't support --oauth2-bearer for
HTTP only for IMAP etc.

>
> Please note also that argument obfuscation does not reduce the leakage
> risk to 0: there's still a tiny time between the program start and the
> info erasure, and it even does not work for some OSes.

I'm aware.
I think I'm going to use a scratch config file to pass the argument
anyway (as that works with the distro curl version)
of course I need to be quite careful how to construct that file.

                        Stephen
-- 
======================================================================
|epcc| Dr Stephen P Booth             Principal Architect       |epcc|
|epcc| s.booth_at_epcc.ed.ac.uk          Phone 0131 650 5746       |epcc|
======================================================================
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
-- 
Unsubscribe: https://lists.haxx.se/listinfo/curl-library
Etiquette:   https://curl.haxx.se/mail/etiquette.html
Received on 2021-11-06