URL: <https://savannah.gnu.org/bugs/?61492>
Summary: --no-verbose leaks information about HTTP password to stdout Project: GNU Wget Submitted by: perlun Submitted on: Tue 16 Nov 2021 01:29:02 PM UTC Category: None Severity: 3 - Normal Priority: 5 - Normal Status: None Privacy: Public Assigned to: None Originator Name: Originator Email: Open/Closed: Open Release: trunk Discussion Lock: Any Operating System: GNU/Linux Reproducibility: Every Time Fixed Release: None Planned Release: None Regression: No Work Required: None Patch Included: No _______________________________________________________ Details: Hi, We discovered locally that wget (version 1.19.4 running on Ubuntu 18.04 and 1.21 running on Debian GNU/Linux bullseye) has an information leak if being used with the --no-verbose flag. Here's an example of its output when executed this way: some-server:/some/path$ wget https://foo:b...@some-host.acme.com --no-verbose 2021-11-16 10:02:09 URL:https://foo:b...@some-host.acme.com/ [0/0] -> "index.html.1" [1] As can be seen above, the "foo:bar" user:password is incorrectly printed to the standard output when this flag is being used. Compare to the normal output when the --no-verbose flag is _not_ used. In this case, the password is properly masked and replaced with *password* in the output: some-server:/some/path$ wget https://foo:b...@some-host.acme.com --2021-11-16 10:02:14-- https://foo:*password*@some-host.acme.com/ Resolving some-host.acme.com (some-host.acme.com)... 10.11.12.13 Connecting to some-host.acme.com (some-host.acme.com)|10.11.12.13|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 0 [text/html] Saving to: ‘index.html.2’ index.html.2 [ <=> ] 0 --.-KB/s in 0s 2021-11-16 10:02:14 (0,00 B/s) - ‘index.html.2’ saved [0/0] Thanks in advance. Best regards Per Lundberg _______________________________________________________ Reply to this item at: <https://savannah.gnu.org/bugs/?61492> _______________________________________________ Message sent via Savannah https://savannah.gnu.org/