Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[security] Do not store username/password in extended attributes when enabling --xattr flag #3423

Closed
sidhpurwala-huzaifa opened this issue Jan 2, 2019 · 3 comments
Closed

[security] Do not store username/password in extended attributes when enabling --xattr flag #3423

sidhpurwala-huzaifa opened this issue Jan 2, 2019 · 3 comments
Labels
cmdline tool

Comments

@sidhpurwala-huzaifa
Copy link

sidhpurwala-huzaifa commented Jan 2, 2019
edited by kdudka
Loading

https://nvd.nist.gov/vuln/detail/CVE-2018-20483 contains the relevant information, can be reproduced by:

[huzaifas@babylon test]$ curl http://user1:redhat@localhost -o file --xattr
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0

[huzaifas@babylon test]$ getfattr curl
getfattr: curl: No such file or directory
[huzaifas@babylon test]$ getfattr file
# file: file
user.mime_type
user.xdg.origin.url

[huzaifas@babylon test]$ getfattr -n user.xdg.origin.url file
# file: file
user.xdg.origin.url="http://user1:redhat@localhost/"
@bagder
Copy link
Member

bagder commented Jan 2, 2019

This is a security issue for wget because they didn't require a flag for this action like curl does. I agree we should strip off the credentials when storing the url but the security impact of the current behavior is not like the wget CVE.

@danielgustafsson
Copy link
Member

danielgustafsson commented Jan 2, 2019 via email

@bagder
Copy link
Member

bagder commented Jan 3, 2019

I had some time over on a flight yesterday so there's a PR coming from me for this...

bagder added a commit that referenced this issue Jan 3, 2019
@bagder
xattr: strip credentials from any URL that is stored
295b546 
Both user and password are cleared uncondtitionally.

Fixes #3423
@bagder bagder mentioned this issue Jan 3, 2019
Closed
bagder added a commit that referenced this issue Jan 5, 2019
@bagder
xattr: strip credentials from any URL that is stored
71886f5 
Both user and password are cleared uncondtitionally.

Fixes #3423
@bagder bagder closed this as completed in 98e6629 Jan 10, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Apr 10, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
cmdline tool
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

xattr: strip credentials from any URL that is stored curl/curl
3 participants
@bagder @danielgustafsson @sidhpurwala-huzaifa