[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #61492] --no-verbose leaks information about HTTP password to stdou

From: Per Lundberg
Subject: [bug #61492] --no-verbose leaks information about HTTP password to stdout
Date: Tue, 16 Nov 2021 08:29:04 -0500 (EST)
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0


                 Summary: --no-verbose leaks information about HTTP password
to stdout
                 Project: GNU Wget
            Submitted by: perlun
            Submitted on: Tue 16 Nov 2021 01:29:02 PM UTC
                Category: None
                Severity: 3 - Normal
                Priority: 5 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: 
        Originator Email: 
             Open/Closed: Open
                 Release: trunk
         Discussion Lock: Any
        Operating System: GNU/Linux
         Reproducibility: Every Time
           Fixed Release: None
         Planned Release: None
              Regression: No
           Work Required: None
          Patch Included: No




We discovered locally that wget (version 1.19.4 running on Ubuntu 18.04 and
1.21 running on Debian GNU/Linux bullseye) has an information leak if being
used with the --no-verbose flag. Here's an example of its output when executed
this way:

some-server:/some/path$ wget https://foo:bar@some-host.acme.com --no-verbose
2021-11-16 10:02:09 URL:https://foo:bar@some-host.acme.com/ [0/0] ->
"index.html.1" [1]

As can be seen above, the "foo:bar" user:password is incorrectly printed to
the standard output when this flag is being used.

Compare to the normal output when the --no-verbose flag is _not_ used. In this
case, the password is properly masked and replaced with *password* in the

some-server:/some/path$ wget https://foo:bar@some-host.acme.com 
--2021-11-16 10:02:14--  https://foo:*password*@some-host.acme.com/
Resolving some-host.acme.com (some-host.acme.com)...
Connecting to some-host.acme.com (some-host.acme.com)||:443...
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/html]
Saving to: ‘index.html.2’

index.html.2                                                         [ <=>    
                                                                 ]       0 
--.-KB/s    in 0s      

2021-11-16 10:02:14 (0,00 B/s) - ‘index.html.2’ saved [0/0]

Thanks in advance.

Best regards
Per Lundberg


Reply to this item at:


  Message sent via Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]