Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: How to stop bearer tokens leaking
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Stephen Booth via curl-library <curl-library_at_lists.haxx.se>
Date: Sat, 6 Nov 2021 17:27:32 +0000
On 06/11/2021 01:03, Patrick Monnerat via curl-library wrote:
> Your version is more than 8 years old ! :-( You better upgrade, as a lot
> of other more serious security problems have been fixed since then.
Due to the lag in getting updates into the OS distro all it takes is a
system built 4 years ago. Centos 7 still tops out at 7.29 even when
fully updated.
Not worried about *that* box it was just the one to hand but even quite
new systems have default versions that don't support --oauth2-bearer for
HTTP only for IMAP etc.
>
> Please note also that argument obfuscation does not reduce the leakage
> risk to 0: there's still a tiny time between the program start and the
> info erasure, and it even does not work for some OSes.
I'm aware.
I think I'm going to use a scratch config file to pass the argument
anyway (as that works with the distro curl version)
of course I need to be quite careful how to construct that file.
Stephen
Date: Sat, 6 Nov 2021 17:27:32 +0000
On 06/11/2021 01:03, Patrick Monnerat via curl-library wrote:
> Your version is more than 8 years old ! :-( You better upgrade, as a lot
> of other more serious security problems have been fixed since then.
Due to the lag in getting updates into the OS distro all it takes is a
system built 4 years ago. Centos 7 still tops out at 7.29 even when
fully updated.
Not worried about *that* box it was just the one to hand but even quite
new systems have default versions that don't support --oauth2-bearer for
HTTP only for IMAP etc.
>
> Please note also that argument obfuscation does not reduce the leakage
> risk to 0: there's still a tiny time between the program start and the
> info erasure, and it even does not work for some OSes.
I'm aware.
I think I'm going to use a scratch config file to pass the argument
anyway (as that works with the distro curl version)
of course I need to be quite careful how to construct that file.
Stephen
-- ====================================================================== |epcc| Dr Stephen P Booth Principal Architect |epcc| |epcc| s.booth_at_epcc.ed.ac.uk Phone 0131 650 5746 |epcc| ====================================================================== -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. -- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2021-11-06