Package: wget Version: 1.20.3-1+b2 Severity: important Tags: security % echo -e '#!/bin/sh\necho user:s3cr3t' > /tmp/askpass % chmod +x /tmp/askpass % wget --use-askpass=/tmp/askpass https://debian.org --2019-11-20 22:14:24-- https://user%3As3cr3t:*password*@debian.org/ ^^^^^^^^^^^^^^^^^^^^^^^^ There seems to be a bug here, possibly related to the output of the askpass script being HTML-encoded too early.
HTTP basic auth still works (though not on debian.org, but I've tried it on other sites). -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.3.0-1-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_WARN, TAINT_CRAP Locale: LANG=en_NZ, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE=en_NZ:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages wget depends on: ii libc6 2.29-3 ii libgnutls30 3.6.10-3 ii libidn2-0 2.2.0-2 ii libnettle7 3.5.1+really3.5.1-2 ii libpcre2-8-0 10.32-5+b1 ii libpsl5 0.20.2-2 ii libuuid1 2.34-0.1 ii zlib1g 1:1.2.11.dfsg-1+b1 Versions of packages wget recommends: ii ca-certificates 20190110 wget suggests no packages. -- no debconf information -- .''`. martin f. krafft <madduck@d.o> @martinkrafft : :' : proud Debian developer `. `'` http://people.debian.org/~madduck `- Debian - when you have better things to do than fixing systems
digital_signature_gpg.asc
Description: Digital GPG signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)