Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
[security] Do not store username/password in extended attributes when enabling --xattr flag #3423
https://nvd.nist.gov/vuln/detail/CVE-2018-20483 contains the relevant information, can be reproduced by:
On 2 Jan 2019, at 10:14, Daniel Stenberg ***@***.***> wrote: This is a security issue for wget because they didn't require a flag for this action like curl does. I agree we should strip off the credentials when storing the url but the security impact of the current behavior is not like the wget CVE.
Unless someone is interested in hacking on this now, I suggest that we add this to the TODO.