curl / Mailing Lists / curl-library / Single Mail

Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

curl protection for password at process memory

From: מעיין בן חיים via curl-library <curl-library_at_cool.haxx.se>
Date: Wed, 30 Sep 2020 17:12:26 +0300

Hi,

I don't know whether this is a known issue or not, so I ask here before
reporting this issue.

When using librucrl, I want to have basic http authentication (I use
CURLOPT_USERNAME and CURLOPT_PASSWORD for that).
However, if I create a dump of my process, I can see the password as plain
text at process memory dump file.

I'm sure it comes from libcurl, as I clean my password buffer, right after
passing it to libcurl.

As part of "defence in depth" strategy, I want to protect my process from
core dump attacks.

My question is:
1. Is this a known issue of libcurl?
2. Should I open/report a bug for this?

Thanks.

Eliyahu

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2020-09-30

This message: [ Message body ]
Next message: Daniel Gustafsson via curl-library: "Re: curl protection for password at process memory"
Previous message: Dan Fandrich via curl-library: "Re: Problem trying to use Curl in C++ to get http response string after sending http string to server."
Next in thread: Daniel Gustafsson via curl-library: "Re: curl protection for password at process memory"
Reply: Daniel Gustafsson via curl-library: "Re: curl protection for password at process memory"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]