Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Metadata and potential password leaks via --log= #1329
I am using aria2 version 1.33.1 on 4.15.0-43-generic 46-Ubuntu.
Request team to have a look and validate.
I'm not sure if this is the vulnerability. But if so, I noticed that Authorization and Cookie headers are included in the log file, too.
For example, run the following command.
then the following data is in the log file.
aria2 only masks credentials which follows "Authorization: Basic ". No masking is made for userinfo subcomponent in URI.
I will change the code so that all authorization and cookie header fields are masked.