-
-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
windows: clear sensitive command-line options from process list #15620
Conversation
2f74a72
to
2046ba9
Compare
I don't like this, I think it's unnecessary and adds complexity. Windows users can't see other users' command lines without privilege, unlike other operating systems. I use Process Explorer a lot and find the command lines useful to see what's running. I can't think of another application on my system which modifies command lines like this. Ref: #10888 (comment) |
Calling this malware doesn't help. There is nothing malicious in hiding secrets from public buffers. Having secrets visible for other processes running under the same or any higher privileged accounts is a legit concern I think. Is it common that someone wants to recover (or see) their own credentials via Process Explorer? All the rest of the command-line is still visible after this patch. (Contrary to the linked patch which hides it entirely.) I agree it's not a beauty but that's not unlike other Windows-specific quirks already rolled within the source. It probably can be tidied-up by moving the complexity inside tool_doswin. |
6cf3827
to
7c2cb2b
Compare
The HTTP/3 wolfSSL CMake failure is unrelated and possibly caused by a recent upstream commit (between be70bea687526a51e3d751d425bbaaa412b451ee and c06f65a8ace311667d9b9d7fd320b6b25f8b1bf8: https://github.com/wolfSSL/wolfSSL/compare/be70bea687526a51e3d751d425bbaaa412b451ee..c06f65a8ace311667d9b9d7fd320b6b25f8b1bf8)
|
To be fair, in the other thread I said modifying the command line is something malware does, and that isn't saying your code is malware. If a user puts secrets in command lines then I don't think it's the responsibility of any program to have to remedy that. Also, I was opposed to this behavior in general for all operating systems in part because it's not completely effective. As long as operating systems allow it adversaries can poll command lines for secrets. |
It was missing while detecting `wolfSSL_DES_ecb_encrypt`, `wolfSSL_BIO_new` and `wolfSSL_BIO_set_shutdown`. We have not seen it causing issues in stable wolfSSL releases as of v5.7.4, until a recent commit in wolfSSL master, which broke detections: ``` curl/CMakeFiles/CMakeScratch//CheckSymbolExists.c:8:19: error: ‘wolfSSL_BIO_new’ undeclared (first use in this function); did you mean ‘wolfSSL_CTX_new’? curl/CMakeFiles/CMakeScratch//CheckSymbolExists.c:8:19: error: ‘wolfSSL_BIO_set_shutdown’ undeclared (first use in this function); did you mean ‘wolfSSL_set_shutdown’? ``` This in turn disabled `HTTPS-proxy` and failed related pytests: https://github.com/curl/curl/actions/runs/11953800545/job/33324250039?pr=15620 wolfSSL source diff causing the regression: https://github.com/wolfSSL/wolfSSL/compare/be70bea687526a51e3d751d425bbaaa412b451ee..c06f65a8ace311667d9b9d7fd320b6b25f8b1bf8 The wolfSSL build says: ``` Note: Make sure your application includes "wolfssl/options.h" before any other wolfSSL headers. You can define "WOLFSSL_USE_OPTIONS_H" in your application to include this automatically. ``` This patch makes sure to follow this rule across the curl codebase. Also: - include `wolfssl/options.h` first in `lib/vtls/wolfssl.c`. It was preceded by `wolfssl/version.h`, which did not cause issues. Background for the pre-existing include order: Ref: deb9462 #3903 Ref: https://curl.se/mail/lib-2015-04/0069.html Bug: #15620 (comment) Follow-up to d68a121 #14064 Closes #15623
Thanks, no hard feelings!
Fair point. This is indeed not a 100% solution, but rather something that helps A while ago spent an unjustifiable amount of time converting all scripts to I think making the common use-case safer, may help this. While also making All that said, I'm curious what is the safe way to pass secrets to a command-line edit: managed to reduce this patch today, so now it's below 60 lines of extra code, |
56f4721
to
168805b
Compare
Note in this example (which I stole from one of my mailing list posts) the 'EOF' is quoted to prevent variable expansion, sometimes people allow that though. Also note if you do it at the prompt the whole thing will likely go in .bash_history |
I didn't know about the One way to avoid redirections is by the app accepting a command, which |
skip the feature entirely if either of _acmdln or _wcmdln is NULL. skip clearing cmdlin buffers if the ANSI-WIDE conversion failed.
``` D:\a\curl\curl\src\tool_getparam.c(2819,1): warning C4701: potentially uninitialized local variable 'acmdln_siz' used [D:\a\curl\curl\bld\src\curl.vcxproj] D:\a\curl\curl\src\tool_getparam.c(2818,1): warning C4701: potentially uninitialized local variable 'wcmdln_siz' used [D:\a\curl\curl\bld\src\curl.vcxproj] ``` https://github.com/curl/curl/actions/runs/11953256088/job/33321005862?pr=15620#step:9:36 ``` D:/a/curl/curl/src/tool_getparam.c: In function 'parse_args': D:/a/curl/curl/src/tool_getparam.c:2819:11: error: 'acmdln_siz' may be used uninitialized [-Werror=maybe-uninitialized] 2819 | (void)WideCharToMultiByte(CP_ACP, 0, tcmdln, -1, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 2820 | _acmdln, (int)acmdln_siz, NULL, NULL); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ D:/a/curl/curl/src/tool_getparam.c:2695:22: note: 'acmdln_siz' was declared here 2695 | size_t acmdln_len, acmdln_siz; | ^~~~~~~~~~ D:/a/curl/curl/src/tool_getparam.c:2818:5: error: 'wcmdln_siz' may be used uninitialized [-Werror=maybe-uninitialized] 2818 | memcpy(_wcmdln, tcmdln, wcmdln_siz); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ D:/a/curl/curl/src/tool_getparam.c:2696:22: note: 'wcmdln_siz' was declared here 2696 | size_t wcmdln_len, wcmdln_siz; | ^~~~~~~~~~ ``` https://github.com/curl/curl/actions/runs/11953256088/job/33321008571?pr=15620#step:19:23
7e79ff0
to
24fada9
Compare
24fada9
to
0fdc0ad
Compare
This is rebuilding the command line in a way that may not accurately represent what it was, aside from the intentional omission of secrets. How and which command line (a&w) is used and how it is parsed varies. I think we may have discussed this at some point in some other issue. Windows doesn't have standard argument parsing and it doesn't give the app the arguments, it just gives it the command line and expects the app to parse it however it chooses. There's no guarantee that acmd and wcmd will point to the process' internal command line that is used by Windows. Also you are assuming acmdln and wcmdln will both exist and be less than the sum of all the parsed argv plus spaces, which makes sense but afaict isn't guaranteed. |
We also have the variable system that is another way to get data into a command line without being visible in the process listing. I think this solution unfortunately is very complicated, feels brittle and hard to work with due to its completely different nature than the "normal" argument blanking (which value has always been low). This makes me side with @jay here: this implementation does not seem to outweigh the cost of accepting it for the small gain we get with it. |
The UCRT source code says these pointers are initialized with But, the MSDN documentation says that the buffer returned by
Thanks for the reviews and remarks! Closing this without a merge. |
Writing to
argv
is not effective on Windows, but there is an alternatemethod to modify the command-line as seen here:
https://github.com/lordmulder/cURL-build-win32/blob/2e9d3818baf8f7b1183331750b7b33152dd6ee82/patch/curl_tool_doswin.diff
Try a patch that's re-creating the full command-line string from each
argument except sensitive ones and writing it back to the command-line
buffer.
The known issue is the use of banned func
_tcscat()
.cat
s.https://github.com/curl/curl/actions/runs/11953800552/job/33325198409?pr=15620
https://github.com/curl/curl/actions/runs/11953800552/job/33325199361?pr=15620
Seems to be mingw-w64 + c-ares builds (Unicode and non-Unicode):
https://github.com/curl/curl/actions/runs/11964350233/job/33356658887
Doh, I missed
free()
.1264 Segmentation fault bld/src/curl.exe --disable --version
: https://github.com/curl/curl/actions/runs/11945298830/job/33297864984?pr=15620#step:20:14