[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug #61492] --no-verbose leaks information about HTTP password to stdou
From: |
Per Lundberg |
Subject: |
[bug #61492] --no-verbose leaks information about HTTP password to stdout |
Date: |
Tue, 16 Nov 2021 08:29:04 -0500 (EST) |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0 |
URL:
<https://savannah.gnu.org/bugs/?61492>
Summary: --no-verbose leaks information about HTTP password
to stdout
Project: GNU Wget
Submitted by: perlun
Submitted on: Tue 16 Nov 2021 01:29:02 PM UTC
Category: None
Severity: 3 - Normal
Priority: 5 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Name:
Originator Email:
Open/Closed: Open
Release: trunk
Discussion Lock: Any
Operating System: GNU/Linux
Reproducibility: Every Time
Fixed Release: None
Planned Release: None
Regression: No
Work Required: None
Patch Included: No
_______________________________________________________
Details:
Hi,
We discovered locally that wget (version 1.19.4 running on Ubuntu 18.04 and
1.21 running on Debian GNU/Linux bullseye) has an information leak if being
used with the --no-verbose flag. Here's an example of its output when executed
this way:
some-server:/some/path$ wget https://foo:bar@some-host.acme.com --no-verbose
2021-11-16 10:02:09 URL:https://foo:bar@some-host.acme.com/ [0/0] ->
"index.html.1" [1]
As can be seen above, the "foo:bar" user:password is incorrectly printed to
the standard output when this flag is being used.
Compare to the normal output when the --no-verbose flag is _not_ used. In this
case, the password is properly masked and replaced with *password* in the
output:
some-server:/some/path$ wget https://foo:bar@some-host.acme.com
--2021-11-16 10:02:14-- https://foo:*password*@some-host.acme.com/
Resolving some-host.acme.com (some-host.acme.com)... 10.11.12.13
Connecting to some-host.acme.com (some-host.acme.com)|10.11.12.13|:443...
connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/html]
Saving to: ‘index.html.2’
index.html.2 [ <=>
] 0
--.-KB/s in 0s
2021-11-16 10:02:14 (0,00 B/s) - ‘index.html.2’ saved [0/0]
Thanks in advance.
Best regards
Per Lundberg
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?61492>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/
- [bug #61492] --no-verbose leaks information about HTTP password to stdout,
Per Lundberg <=