Closed
Description
Hi Team,
I am using aria2 version 1.33.1 on 4.15.0-43-generic 46-Ubuntu.
- It was observed that URL's which gets downloaded via
--log=attribute stored sensitive information. - In combination with HTTP authentication a username and password can be part of the URL.
aria2c --log=file https://user:passwd@example.com/
- In such case the log file contains password as well, sometimes URL's may contain secret tokens, e.g. private file shares on a file hosting service.
- In general storing metadata at unexpected places should be avoided.
- However, if the above steps are repeated using the below URL the log file does not contains password.
aria2c --log=file https://t.me/socks?server=inputzero.io&port=22&user=dhiraj&pass=MystrongPassw0rd
Request team to have a look and validate.
Metadata
Metadata
Assignees
Labels
No labels