Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

curl doesn't always hide credentials in /proc/XXX/cmdline provided via CLI arguments #16396

Closed
kayrus opened this issue Feb 19, 2025 · 3 comments
Closed

curl doesn't always hide credentials in /proc/XXX/cmdline provided via CLI arguments #16396

kayrus opened this issue Feb 19, 2025 · 3 comments
Assignees
@bagder

Comments

@kayrus
Copy link

kayrus commented Feb 19, 2025
edited
Loading

I did this

Run these commands in Linux environment (tested in zsh, bash, posix sh)

  1. run curl curl 8.8.8.8:444 -u user:pass -ufoo:bar -U baz:qux -U123:456 --user USER:PASS using root or other user
  2. run ps ax in another terminal on the same host under another unprivileged user:
$ ps ax | grep ' [c]url 8'
 283299 ?        Ss     0:00 curl 8.8.8.8:444 -u           -ufoo:bar -U         -U123:456 --user

$ cat /proc/283299/cmdline | tr '\0' '\n'
curl
8.8.8.8:444
-u
         
-ufoo:bar
-U
       
-U123:456
--user

I expected the following

$ ps ax | grep ' [c]url 8'
 283299 ?        Ss     0:00 curl 8.8.8.8:444 -u           -u        -U         -U        --user

$ cat /proc/283299/cmdline | tr '\0' '\n'
curl
8.8.8.8:444
-u
         
-u

-U
       
-U

--user

curl/libcurl version

$ curl -V
curl 8.12.1 (x86_64-pc-linux-musl) libcurl/8.12.1 OpenSSL/3.3.3 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 libidn2/2.3.7 libpsl/0.21.5 libssh2/1.11.1 nghttp2/1.64.0
Release-Date: 2025-02-13
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd

operating system

ubuntu 24.04

see also

Initial implementation: 7f67a28
Documentation discussion #3680
A note added into docs 2af732f
@vszakats
Copy link
Member

This feature needs a non-cross-build to be automatically detected at configure time.
For cross-builds is has to be enabled manually.

Is it enabled in your build above?

@kayrus
Copy link
Author

kayrus commented Feb 19, 2025

I reproduced this issue with a default curl ubuntu package and with the recent curlimages/curl docker image. Besides as you can see the args are masked, but not in case, when values provided to a short option without a whitespace.

@bagder
Copy link
Member

bagder commented Feb 19, 2025

I could reproduce this as well.

@bagder bagder self-assigned this Feb 19, 2025
bagder added a commit that referenced this issue Feb 19, 2025
@bagder
tool_getparam: clear some sensitive arguments better
52ad0c0 
curl attempts to clear some flags to hide them from snooping neighbors
(on platforms where it works). For example the credentials provided with
-u. Previously it would only do that if there was a space between the
option and the credentials as in "-u joe:s3cr3t" but not when done
without a separating space as in "-ujoe:s3cr3t".

This addresses that previous shortcoming.

Reported-by: kayrus on github
Fixes #16396
@bagder bagder mentioned this issue Feb 19, 2025
Closed
@bagder bagder closed this as completed in 654f8cb Feb 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bagder bagder

Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

tool_getparam: clear some sensitive arguments better curl/curl
3 participants
@bagder @vszakats @kayrus