New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Metadata and potential password leaks via --log= #1329
Comments
|
CVE-2019-3500 was assigned to this issue. |
|
I'm not sure if this is the vulnerability. But if so, I noticed that Authorization and Cookie headers are included in the log file, too. For example, run the following command. then the following data is in the log file. |
|
aria2 only masks credentials which follows "Authorization: Basic ". No masking is made for userinfo subcomponent in URI. I will change the code so that all authorization and cookie header fields are masked. |
|
Fix committed via 3736813 |
Hi Team,
I am using aria2 version 1.33.1 on 4.15.0-43-generic 46-Ubuntu.
--log=attribute stored sensitive information.aria2c --log=file https://user:passwd@example.com/aria2c --log=file https://t.me/socks?server=inputzero.io&port=22&user=dhiraj&pass=MystrongPassw0rdRequest team to have a look and validate.
The text was updated successfully, but these errors were encountered: