curl-library
Questions regarding storing passwords in plaintext and security
Date: Thu, 11 Jan 2018 10:26:41 -0500
I am in the process of working through a security audit of software that is
statically linked with libcurl. The security audit is being done using
Veracode's static analysis engine (www.veracode.com). Veracode is flagging
code in libcurl where the connection password (conn->passwd) and proxy
password (proxyinfo->passwd) are set with the warning that they are stored
in plain text. The security concern with this is described by CWE ID 316
(https://cwe.mitre.org/data/definitions/316.html ).
My questions regarding these findings are:
* Has anyone done something similar? If so, how did you resolve the
situation to pass the security audit?
* Is this something likely to be resolved/addressed by the maintainers of
this project?
Thank you.
Michael
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-01-12