Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[security] Do not store username/password in extended attributes when enabling --xattr flag #3423

Closed
sidhpurwala-huzaifa opened this issue Jan 2, 2019 · 3 comments

Comments

Projects
None yet
3 participants
@sidhpurwala-huzaifa
Copy link

commented Jan 2, 2019

https://nvd.nist.gov/vuln/detail/CVE-2018-20483 contains the relevant information, can be reproduced by:

[huzaifas@babylon test]$ curl http://user1:redhat@localhost -o file --xattr
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

[huzaifas@babylon test]$ getfattr curl
getfattr: curl: No such file or directory
[huzaifas@babylon test]$ getfattr file
# file: file
user.mime_type
user.xdg.origin.url

[huzaifas@babylon test]$ getfattr -n user.xdg.origin.url file
# file: file
user.xdg.origin.url="http://user1:redhat@localhost/"
@bagder

This comment has been minimized.

Copy link
Member

commented Jan 2, 2019

This is a security issue for wget because they didn't require a flag for this action like curl does. I agree we should strip off the credentials when storing the url but the security impact of the current behavior is not like the wget CVE.

@danielgustafsson

This comment has been minimized.

Copy link
Member

commented Jan 2, 2019

@bagder

This comment has been minimized.

Copy link
Member

commented Jan 3, 2019

I had some time over on a flight yesterday so there's a PR coming from me for this...

@bagder bagder added the cmdline tool label Jan 3, 2019

bagder added a commit that referenced this issue Jan 3, 2019

xattr: strip credentials from any URL that is stored
Both user and password are cleared uncondtitionally.

Fixes #3423

bagder added a commit that referenced this issue Jan 5, 2019

xattr: strip credentials from any URL that is stored
Both user and password are cleared uncondtitionally.

Fixes #3423

@bagder bagder closed this in 98e6629 Jan 10, 2019

@lock lock bot locked as resolved and limited conversation to collaborators Apr 10, 2019

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.