curl doesn't always hide credentials in /proc/XXX/cmdline provided via CLI arguments

[kayrus]

I did this

Run these commands in Linux environment (tested in zsh, bash, posix sh)

1. run curl curl 8.8.8.8:444 -u user:pass -ufoo:bar -U baz:qux -U123:456 --user USER:PASS using root or other user
2. run ps ax in another terminal on the same host under another unprivileged user:

$ ps ax | grep ' [c]url 8'
 283299 ?        Ss     0:00 curl 8.8.8.8:444 -u           -ufoo:bar -U         -U123:456 --user

$ cat /proc/283299/cmdline | tr '\0' '\n'
curl
8.8.8.8:444
-u
         
-ufoo:bar
-U
       
-U123:456
--user
 

I expected the following

$ ps ax | grep ' [c]url 8'
 283299 ?        Ss     0:00 curl 8.8.8.8:444 -u           -u        -U         -U        --user

$ cat /proc/283299/cmdline | tr '\0' '\n'
curl
8.8.8.8:444
-u
         
-u

-U
       
-U

--user
 

curl/libcurl version

$ curl -V
curl 8.12.1 (x86_64-pc-linux-musl) libcurl/8.12.1 OpenSSL/3.3.3 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 libidn2/2.3.7 libpsl/0.21.5 libssh2/1.11.1 nghttp2/1.64.0
Release-Date: 2025-02-13
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd

operating system

ubuntu 24.04

see also

Initial implementation: 7f67a28
Documentation discussion #3680
A note added into docs 2af732f

[vszakats]

This feature needs a non-cross-build to be automatically detected at configure time.
For cross-builds is has to be enabled manually.

Is it enabled in your build above?

[kayrus]

I reproduced this issue with a default curl ubuntu package and with the recent curlimages/curl docker image. Besides as you can see the args are masked, but not in case, when values provided to a short option without a whitespace.

[bagder]

I could reproduce this as well.