Skip to content

Metadata and potential password leaks via --log= #1329

Closed
@RootUp

Description

@RootUp

Hi Team,

I am using aria2 version 1.33.1 on 4.15.0-43-generic 46-Ubuntu.

  1. It was observed that URL's which gets downloaded via --log= attribute stored sensitive information.
  2. In combination with HTTP authentication a username and password can be part of the URL.
    aria2c --log=file https://user:passwd@example.com/
  • In such case the log file contains password as well, sometimes URL's may contain secret tokens, e.g. private file shares on a file hosting service.
  • In general storing metadata at unexpected places should be avoided.
  1. However, if the above steps are repeated using the below URL the log file does not contains password.
    aria2c --log=file https://t.me/socks?server=inputzero.io&port=22&user=dhiraj&pass=MystrongPassw0rd

Request team to have a look and validate.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions