cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: [patch] hiding username:password from process lists

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Mon, 13 Jan 2003 11:55:14 +0100 (MET)

On Mon, 13 Jan 2003, Jamie Wilkinson wrote:

> I use curl in my backup scripts to upload an encrypted tarball to an ftp
> server.
> The tarball gets piped in on stdin, so it's not useful to use -K - to set
> the ftp username and password. There's a single config file for the whole
> collection of scripts that do the work, so it's not convenient to keep the
> username:password in a separate file that curl can parse.

Thanks, but...

You could easily solve the problem differently.

Why not just copy the single config file to a temporary location and there
you append the name and password section and use -K to that file.

> So, here's a simple patch that wipes out the username:password argument
> after it's been copied by the strdup in GetStr.
>
> I know that nextarg isn't only coming from argv[], but because of the
> strdup, I don't think that this is a big problem.

I'm sorry, but I can't accept this patch as it is. Writing to data that
argv[] points to is not portable. Several operating systems will crash on
such behavior.

I might consider adding this kind of code if you really insist and provide
the suitable test code that we can run in the configure script to detect if
this is indeed possible or not on this particular platform. Then we can have
something like #ifdef HAVE_ALLOW_WRITING_ARGV_DATA around that section (since
we must assume that it doesn't work until proven otherwise).

-- 
 Daniel Stenberg -- curl, cURL, Curl, CURL. Groks URLs.
-------------------------------------------------------
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
Received on 2003-01-13