curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: credentials in memory

From: Daniel Stenberg via curl-library <>
Date: Fri, 30 Sep 2022 10:57:59 +0200 (CEST)

On Fri, 30 Sep 2022, David Woodhouse wrote:

> Don't forget to ensure that all *transitional* storage is securely wiped,
> including request buffers in which the password has been (decrypted and)
> sent.

The buffers we use for transport are all used temporary and are never kept
around for long until they are overwritten again.

I suppose that if an error occurs exactly when the block of data is meant to
get sent off and the buffer then contains the password (for FTP, or HTTP basic
or similar), it risks linger around for a longer time.

  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features
Received on 2022-09-30