Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

curl: add --pass-file and --proxy-pass-file options #7666

Closed
wants to merge 1 commit into from

Conversation

vszakats
Copy link
Member

@vszakats vszakats commented Sep 3, 2021

These two options have the same purpose as existing --pass and --proxy-pass options, but instead of expecting the secret string on the command-line, they allow them to be passed via a filename. This filename can point to an on-disk file, to STDIN, etc. This makes it possible to pass key passphrases securely to curl, without them appearing in the ps listing, command history, etc.

The passphrase is read from the filename as-is, up to the first zero byte or CR, LF characters.

Examples:

echo 'secret' | curl --user my-user: sftp://example.net/ \
  --key id_ed25519 --pubkey id_ed25519.pub --pass-file /dev/stdin

echo 'secret' | curl https://example.net/ \
  --cert-type P12 --cert client.p12 --pass-file /dev/stdin

These two options have the same purpose as existing `--pass` and
`--proxy-pass` options, but instead of expecting the secret string on
the command-line, they allow them to be passed via a filename. This
filename can point to an on-disk file, to STDIN, etc. This makes it
possible to pass key passphrases securely to curl, without them
appearing in the `ps` listing, command history, etc.

The passphrase is read from the filename as-is, up to the first zero
byte or CR, LF characters.

Examples:

echo 'secret' | curl --user my-user: sftp://example.net/ \
  --key id_ed25519 --pubkey id_ed25519.pub --pass-file /dev/stdin

echo 'secret' | curl https://example.net/ \
  --cert-type P12 --cert client.p12 --pass-file /dev/stdin
@dfandrich
Copy link
Contributor

dfandrich commented Sep 3, 2021 via email

@vszakats
Copy link
Member Author

vszakats commented Sep 3, 2021

-K can technically resolve this, but it's quite unpractical: First you need to convert the complete command-line into a .curlrc-style config file with different syntax and other suble differences , then you lose the ability to use the default .curlrc file (unless manually merging it into the custom config).

These two options are lightweight, discoverable and resolve this problem without friction for key passphrases. Just like --netrc-file does already for login credentials.

@vszakats
Copy link
Member Author

vszakats commented Sep 3, 2021

After some experimenting it turns out -K is much more convenient than the help text suggests. First, it doesn't override .curlrc which wasn't readily obvious, second, it can be combined with the rest of the command-line in a flexible way, and can even be specified multiple times.

So the above examples translate to these:

echo '--pass "secret"' | curl --user my-user: sftp://example.net/ \
  --key id_ed25519 --pubkey id_ed25519.pub --config /dev/stdin

echo '--pass "secret"' | curl https://example.net/ \
  --cert-type P12 --cert client.p12 --config /dev/stdin

It is also useful to pass a secret as part of the URL.

I'm fine with the above, and thanks for pointing it out @dfandrich! (Though it's not the easiest to discover feature, even by having read its manual entry.)

@dfandrich
Copy link
Contributor

dfandrich commented Sep 3, 2021 via email

@vszakats
Copy link
Member Author

vszakats commented Sep 3, 2021

Thanks again for the -K tip, closing this in favour of it.

@vszakats vszakats closed this Sep 3, 2021
@vszakats vszakats deleted the pass-file branch September 3, 2021 03:28
jay added a commit to jay/curl that referenced this pull request Sep 3, 2021
jay added a commit to jay/curl that referenced this pull request Sep 3, 2021
jay added a commit that referenced this pull request Sep 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging this pull request may close these issues.

None yet

2 participants