On Thu, 11 Jan 2018, Michael Ambrus wrote:
I am in the process of working through a security audit of software that is statically linked with libcurl. The security audit is being done using Veracode's static analysis engine (www.veracode.com). Veracode is flagging code in libcurl where the connection password (conn->passwd) and proxy password (proxyinfo->passwd) are set with the warning that they are stored in plain text.
Stored, as stored in memory, yes. libcurl needs them in plain text to be able to use them in the authentication mechanisms that it supports.
* Is this something likely to be resolved/addressed by the maintainers of this project?
I've seen the concern raised before but we haven't done any real counter-measures internally.
It would of course reduce the impact of memory disclosures and similar flaws if the passwords and usernames were kept encrypted somehow during the times it isn't absolutely necessary to have them around. I've just never felt that feature to be important enough for me or anyone else to actually have a go at it.
-- / daniel.haxx.se ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
