Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mask password passed in as command line arg like mysql #3680

Closed
ericcurtin opened this issue Mar 13, 2019 · 8 comments
Closed

Mask password passed in as command line arg like mysql #3680

ericcurtin opened this issue Mar 13, 2019 · 8 comments
Labels

Comments

@ericcurtin
Copy link
Contributor

@ericcurtin ericcurtin commented Mar 13, 2019

I did this

curl -x https://user:password@your-proxy-ip-addess:12/ http://www.google.com

ps -ef | grep curl
curtine 7859 3321 0 17:32 pts/1 00:00:00 curl -x https://user:password@your-proxy-ip-addess:12/ http://www.google.com

I expected the following

Masked password for proxy password. Like mysql does https://unix.stackexchange.com/questions/78757/securely-feeding-a-program-with-a-password

curl/libcurl version

curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.0g zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

operating system

ubuntu 18.04

@bagder bagder added the cmdline tool label Mar 13, 2019
@bagder
Copy link
Member

@bagder bagder commented Mar 13, 2019

If you provide the name and password with the dedicated -U or --proxy-user flag then curl will (attempt to) hide it.

@bagder
Copy link
Member

@bagder bagder commented Mar 14, 2019

I don't think we should clear the entire proxy string just because someone might pass their credentials there. We could consider scrubbing out them from the string, but since we have a working way to do this I don't think we have to.

@ericcurtin
Copy link
Contributor Author

@ericcurtin ericcurtin commented Mar 14, 2019

Yes -U masks just fine. Good to know. Might be worth adding to man page.

bagder added a commit that referenced this issue Mar 14, 2019
Ref: #3680
@ericcurtin
Copy link
Contributor Author

@ericcurtin ericcurtin commented Mar 14, 2019

I opened a PR but you were too fast for me @bagder #3684

I can close mine.

@ericcurtin
Copy link
Contributor Author

@ericcurtin ericcurtin commented Mar 14, 2019

Thanks 😃

bagder added a commit that referenced this issue Mar 14, 2019
Suggested-by: Eric Curtin
Improved-by: Dan Fandrich
Ref: #3680
@bagder
Copy link
Member

@bagder bagder commented Mar 14, 2019

Hehe, I was a whole minute faster! 😆

bagder added a commit that referenced this issue Mar 14, 2019
Suggested-by: Eric Curtin
Improved-by: Dan Fandrich
Ref: #3680

Closes #3683
@bagder
Copy link
Member

@bagder bagder commented Mar 14, 2019

@ericcurtin are you ok with us closing this issue now?

@ericcurtin
Copy link
Contributor Author

@ericcurtin ericcurtin commented Mar 14, 2019

👍

@ericcurtin ericcurtin closed this Mar 14, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Jun 12, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.