cURL / Mailing Lists / curl-users / Single Mail


Re: [ Bug#178473: curl: local user information leak]

From: Daniel Stenberg <>
Date: Tue, 28 Jan 2003 16:43:44 +0100 (CET)

On Mon, 27 Jan 2003, Domenico Andreoli wrote:

> Passwords given to option -U are visible in the ps tree:

I honestly fail to see how this is a *bug*. curl never attempted to hide it,
and I still believe people who blindly assume it does should be dragged out
in the woods and shot.

That said, I intend to apply Jamie Wilkinson's patch that'll remove the
(sensitive) command line arguments from ps output on platforms that support
that kind of weird behavior. (As soon as some extra-time leaps out from the
sky and lands on my table.)

Still, this must remain treated as an extra precaution and we should
encourage people who cares about security to NOT pass sensitive information
in command line options. It has been mentioned in the curl FAQ for years.

 Daniel Stenberg -- curl, cURL, Curl, CURL. Groks URLs.
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
Received on 2003-01-28