diff --git a/backport-curl-tool-erase-some-more-sensitive-command-line-arg.patch b/backport-curl-tool-erase-some-more-sensitive-command-line-arg.patch new file mode 100644 index 0000000..b73395d --- /dev/null +++ b/backport-curl-tool-erase-some-more-sensitive-command-line-arg.patch @@ -0,0 +1,95 @@ +From b6acbdeb6375c9552fd4b04d5ab38422ed25fbaf Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat +Date: Mon, 10 Jan 2022 11:51:16 +0100 +Subject: [PATCH] curl tool: erase some more sensitive command line arguments + +As the ps command may reveal sensitive command line info, obfuscate +options --tlsuser, --tlspasswd, --proxy-tlsuser, --proxy-tlspassword and +--oauth2-bearer arguments. + +Reported-by: Stephen Boost + +Closes #7964 +--- + src/tool_getparam.c | 35 ++++++++++++++++++++++------------- + 1 file changed, 22 insertions(+), 13 deletions(-) + +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 7abbcc639..223214b0a 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2021, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -669,6 +669,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + break; + case 'B': /* OAuth 2.0 bearer token */ + GetStr(&config->oauth_bearer, nextarg); ++ cleanarg(nextarg); + config->authtype |= CURLAUTH_BEARER; + break; + case 'c': /* connect-timeout */ +@@ -1617,16 +1618,20 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + GetStr(&config->crlfile, nextarg); + break; + case 'k': /* TLS username */ +- if(curlinfo->features & CURL_VERSION_TLSAUTH_SRP) +- GetStr(&config->tls_username, nextarg); +- else ++ if(!(curlinfo->features & CURL_VERSION_TLSAUTH_SRP)) { ++ cleanarg(nextarg); + return PARAM_LIBCURL_DOESNT_SUPPORT; ++ } ++ GetStr(&config->tls_username, nextarg); ++ cleanarg(nextarg); + break; + case 'l': /* TLS password */ +- if(curlinfo->features & CURL_VERSION_TLSAUTH_SRP) +- GetStr(&config->tls_password, nextarg); +- else ++ if(!(curlinfo->features & CURL_VERSION_TLSAUTH_SRP)) { ++ cleanarg(nextarg); + return PARAM_LIBCURL_DOESNT_SUPPORT; ++ } ++ GetStr(&config->tls_password, nextarg); ++ cleanarg(nextarg); + break; + case 'm': /* TLS authentication type */ + if(curlinfo->features & CURL_VERSION_TLSAUTH_SRP) { +@@ -1687,17 +1692,21 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + break; + + case 'u': /* TLS username for proxy */ +- if(curlinfo->features & CURL_VERSION_TLSAUTH_SRP) +- GetStr(&config->proxy_tls_username, nextarg); +- else ++ if(!(curlinfo->features & CURL_VERSION_TLSAUTH_SRP)) { ++ cleanarg(nextarg); + return PARAM_LIBCURL_DOESNT_SUPPORT; ++ } ++ GetStr(&config->proxy_tls_username, nextarg); ++ cleanarg(nextarg); + break; + + case 'v': /* TLS password for proxy */ +- if(curlinfo->features & CURL_VERSION_TLSAUTH_SRP) +- GetStr(&config->proxy_tls_password, nextarg); +- else ++ if(!(curlinfo->features & CURL_VERSION_TLSAUTH_SRP)) { ++ cleanarg(nextarg); + return PARAM_LIBCURL_DOESNT_SUPPORT; ++ } ++ GetStr(&config->proxy_tls_password, nextarg); ++ cleanarg(nextarg); + break; + + case 'w': /* TLS authentication type for proxy */ +-- +2.33.0 + diff --git a/backport-getparam-correctly-clean-args.patch b/backport-getparam-correctly-clean-args.patch new file mode 100644 index 0000000..2f9c0b7 --- /dev/null +++ b/backport-getparam-correctly-clean-args.patch @@ -0,0 +1,107 @@ +From 5b059ba8954c6dcf305ff4def77fe394c7b57401 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 30 Aug 2022 23:40:19 +0200 +Subject: [PATCH] getparam: correctly clean args + +Follow-up to bf7e887b2442783ab52 + +The previous fix for #9128 was incomplete and caused #9397. + +Fixes #9397 +Closes #9399 +--- + src/tool_getparam.c | 15 ++++++++------- + src/tool_getparam.h | 1 - + src/tool_parsecfg.c | 2 +- + 3 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index f2ad91c19..e6c6a273d 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -558,7 +558,6 @@ static void cleanarg(argv_item_t str) + + ParameterError getparameter(const char *flag, /* f or -long-flag */ + char *nextarg, /* NULL if unset */ +- argv_item_t clearthis, + bool *usedarg, /* set to TRUE if the arg + has been used */ + struct GlobalConfig *global, +@@ -576,7 +575,9 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + ParameterError err; + bool toggle = TRUE; /* how to switch boolean options, on or off. Controlled + by using --OPTION or --no-OPTION */ +- (void)clearthis; /* for !HAVE_WRITABLE_ARGV builds */ ++#ifdef HAVE_WRITABLE_ARGV ++ argv_item_t clearthis = NULL; ++#endif + *usedarg = FALSE; /* default is that we don't use the arg */ + + if(('-' != flag[0]) || ('-' == flag[1])) { +@@ -652,6 +653,9 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + /* this option requires an extra parameter */ + if(!longopt && parse[1]) { + nextarg = (char *)&parse[1]; /* this is the actual extra parameter */ ++#ifdef HAVE_WRITABLE_ARGV ++ clearthis = nextarg; ++#endif + singleopt = TRUE; /* don't loop anymore after this */ + } + else if(!nextarg) +@@ -2443,17 +2447,15 @@ ParameterError parse_args(struct GlobalConfig *global, int argc, + stillflags = FALSE; + else { + char *nextarg = NULL; +- argv_item_t clear = NULL; + if(i < (argc - 1)) { + nextarg = curlx_convert_tchar_to_UTF8(argv[i + 1]); + if(!nextarg) { + curlx_unicodefree(orig_opt); + return PARAM_NO_MEM; + } +- clear = argv[i + 1]; + } + +- result = getparameter(orig_opt, nextarg, clear, &passarg, ++ result = getparameter(orig_opt, nextarg, &passarg, + global, config); + curlx_unicodefree(nextarg); + config = global->last; +@@ -2492,8 +2494,7 @@ ParameterError parse_args(struct GlobalConfig *global, int argc, + bool used; + + /* Just add the URL please */ +- result = getparameter("--url", orig_opt, NULL, &used, global, +- config); ++ result = getparameter("--url", orig_opt, &used, global, config); + } + + if(!result) +diff --git a/src/tool_getparam.h b/src/tool_getparam.h +index 0564518a6..3eb177391 100644 +--- a/src/tool_getparam.h ++++ b/src/tool_getparam.h +@@ -55,7 +55,6 @@ struct GlobalConfig; + struct OperationConfig; + + ParameterError getparameter(const char *flag, char *nextarg, +- argv_item_t clearthis, + bool *usedarg, + struct GlobalConfig *global, + struct OperationConfig *operation); +diff --git a/src/tool_parsecfg.c b/src/tool_parsecfg.c +index 34eb5daa9..a166757f8 100644 +--- a/src/tool_parsecfg.c ++++ b/src/tool_parsecfg.c +@@ -223,7 +223,7 @@ int parseconfig(const char *filename, struct GlobalConfig *global) + #ifdef DEBUG_CONFIG + fprintf(stderr, "PARAM: \"%s\"\n",(param ? param : "(null)")); + #endif +- res = getparameter(option, param, NULL, &usedarg, global, operation); ++ res = getparameter(option, param, &usedarg, global, operation); + operation = global->last; + + if(!res && param && *param && !usedarg) +-- +2.33.0 + diff --git a/backport-tool_getparam-fix-cleanarg-for-unicode-builds.patch b/backport-tool_getparam-fix-cleanarg-for-unicode-builds.patch new file mode 100644 index 0000000..a30d0a6 --- /dev/null +++ b/backport-tool_getparam-fix-cleanarg-for-unicode-builds.patch @@ -0,0 +1,87 @@ +From 206550a9c25e2084012f616dcce90142a30a8f80 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sat, 23 Jul 2022 13:33:57 +0200 +Subject: [PATCH] tool_getparam: fix cleanarg() for unicode builds + +Use the correct type, and make cleanarg an empty macro if the cleaning +ability is absent. + +Fixes #9195 +Closes #9196 + +Reviewed-by: Jay Satiro +Reviewed-by: Marcel Raad +--- + src/tool_getparam.c | 14 +++++++------- + src/tool_getparam.h | 3 ++- + 2 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 6423c8fe1..9bbd51d34 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -541,9 +541,9 @@ static ParameterError GetSizeParameter(struct GlobalConfig *global, + return PARAM_OK; + } + +-static void cleanarg(char *str) +-{ + #ifdef HAVE_WRITABLE_ARGV ++static void cleanarg(argv_item_t str) ++{ + /* now that GetStr has copied the contents of nextarg, wipe the next + * argument out so that the username:password isn't displayed in the + * system process list */ +@@ -551,14 +551,14 @@ static void cleanarg(char *str) + size_t len = strlen(str); + memset(str, ' ', len); + } ++} + #else +- (void)str; ++#define cleanarg(x) + #endif +-} + + ParameterError getparameter(const char *flag, /* f or -long-flag */ + char *nextarg, /* NULL if unset */ +- char *clearthis, ++ argv_item_t clearthis, + bool *usedarg, /* set to TRUE if the arg + has been used */ + struct GlobalConfig *global, +@@ -576,7 +576,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + ParameterError err; + bool toggle = TRUE; /* how to switch boolean options, on or off. Controlled + by using --OPTION or --no-OPTION */ +- ++ (void)clearthis; /* for !HAVE_WRITABLE_ARGV builds */ + *usedarg = FALSE; /* default is that we don't use the arg */ + + if(('-' != flag[0]) || ('-' == flag[1])) { +@@ -2440,7 +2440,7 @@ ParameterError parse_args(struct GlobalConfig *global, int argc, + stillflags = FALSE; + else { + char *nextarg = NULL; +- char *clear = NULL; ++ argv_item_t clear = NULL; + if(i < (argc - 1)) { + nextarg = curlx_convert_tchar_to_UTF8(argv[i + 1]); + if(!nextarg) { +diff --git a/src/tool_getparam.h b/src/tool_getparam.h +index e35136123..0564518a6 100644 +--- a/src/tool_getparam.h ++++ b/src/tool_getparam.h +@@ -54,7 +54,8 @@ typedef enum { + struct GlobalConfig; + struct OperationConfig; + +-ParameterError getparameter(const char *flag, char *nextarg, char *clearthis, ++ParameterError getparameter(const char *flag, char *nextarg, ++ argv_item_t clearthis, + bool *usedarg, + struct GlobalConfig *global, + struct OperationConfig *operation); +-- +2.33.0 + diff --git a/backport-tool_getparam-fix-hiding-of-command-line-secrets.patch b/backport-tool_getparam-fix-hiding-of-command-line-secrets.patch new file mode 100644 index 0000000..bbe406b --- /dev/null +++ b/backport-tool_getparam-fix-hiding-of-command-line-secrets.patch @@ -0,0 +1,91 @@ +From 2ed0e1f70ee176edf3d2292ab01201eb6baf86b3 Mon Sep 17 00:00:00 2001 +From: Harry Sintonen +Date: Wed, 11 Jan 2023 11:39:33 +0100 +Subject: [PATCH] tool_getparam: fix hiding of command line secrets + +Closes #10276 +--- + src/tool_getparam.c | 14 ++++++++------ + src/tool_getparam.h | 1 + + src/tool_parsecfg.c | 2 +- + 3 files changed, 10 insertions(+), 7 deletions(-) + +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 68bc83223..bb4303a8c 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -660,6 +660,7 @@ static ParameterError data_urlencode(struct GlobalConfig *global, + + ParameterError getparameter(const char *flag, /* f or -long-flag */ + char *nextarg, /* NULL if unset */ ++ argv_item_t cleararg, + bool *usedarg, /* set to TRUE if the arg + has been used */ + struct GlobalConfig *global, +@@ -764,15 +765,16 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + /* this option requires an extra parameter */ + if(!longopt && parse[1]) { + nextarg = (char *)&parse[1]; /* this is the actual extra parameter */ +-#ifdef HAVE_WRITABLE_ARGV +- clearthis = nextarg; +-#endif + singleopt = TRUE; /* don't loop anymore after this */ + } + else if(!nextarg) + return PARAM_REQUIRES_PARAMETER; +- else ++ else { ++#ifdef HAVE_WRITABLE_ARGV ++ clearthis = cleararg; ++#endif + *usedarg = TRUE; /* mark it as used */ ++ } + + if((aliases[hit].desc == ARG_FILENAME) && + (nextarg[0] == '-') && nextarg[1]) { +@@ -2494,7 +2496,7 @@ ParameterError parse_args(struct GlobalConfig *global, int argc, + } + } + +- result = getparameter(orig_opt, nextarg, &passarg, ++ result = getparameter(orig_opt, nextarg, argv[i + 1], &passarg, + global, config); + curlx_unicodefree(nextarg); + config = global->last; +@@ -2533,7 +2535,7 @@ ParameterError parse_args(struct GlobalConfig *global, int argc, + bool used; + + /* Just add the URL please */ +- result = getparameter("--url", orig_opt, &used, global, config); ++ result = getparameter("--url", orig_opt, argv[i], &used, global, config); + } + + if(!result) +diff --git a/src/tool_getparam.h b/src/tool_getparam.h +index 677ce8e5f..827a04e81 100644 +--- a/src/tool_getparam.h ++++ b/src/tool_getparam.h +@@ -55,6 +55,7 @@ struct GlobalConfig; + struct OperationConfig; + + ParameterError getparameter(const char *flag, char *nextarg, ++ argv_item_t cleararg, + bool *usedarg, + struct GlobalConfig *global, + struct OperationConfig *operation); +diff --git a/src/tool_parsecfg.c b/src/tool_parsecfg.c +index ffc19fdf0..50d03f666 100644 +--- a/src/tool_parsecfg.c ++++ b/src/tool_parsecfg.c +@@ -223,7 +223,7 @@ int parseconfig(const char *filename, struct GlobalConfig *global) + #ifdef DEBUG_CONFIG + fprintf(stderr, "PARAM: \"%s\"\n",(param ? param : "(null)")); + #endif +- res = getparameter(option, param, &usedarg, global, operation); ++ res = getparameter(option, param, NULL, &usedarg, global, operation); + operation = global->last; + + if(!res && param && *param && !usedarg) +-- +2.33.0 + diff --git a/backport-tool_getparam-repair-cleanarg.patch b/backport-tool_getparam-repair-cleanarg.patch new file mode 100644 index 0000000..6d2ce2a --- /dev/null +++ b/backport-tool_getparam-repair-cleanarg.patch @@ -0,0 +1,267 @@ +From bf7e887b2442783ab52ddf9d1348c52344fc96f1 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 10 Jul 2022 15:22:13 +0200 +Subject: [PATCH] tool_getparam: repair cleanarg + +Regression since 9e5669f. + +Make sure the "cleaning" of command line arguments is done on the +original argv[] pointers. As a bonus, it also exits better on out of +memory error. + +Reported-by: Litter White +Fixes #9128 +Closes #9130 +--- + src/tool_getparam.c | 61 +++++++++++++++++++++++++++++++-------------- + src/tool_getparam.h | 3 ++- + src/tool_paramhlp.c | 15 ----------- + src/tool_paramhlp.h | 2 -- + src/tool_parsecfg.c | 2 +- + 5 files changed, 45 insertions(+), 38 deletions(-) + +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 9d425c846..6423c8fe1 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -487,7 +487,6 @@ GetFileAndPassword(char *nextarg, char **file, char **password) + Curl_safefree(*password); + *password = passphrase; + } +- cleanarg(nextarg); + } + + /* Get a size parameter for '--limit-rate' or '--max-filesize'. +@@ -542,8 +541,24 @@ static ParameterError GetSizeParameter(struct GlobalConfig *global, + return PARAM_OK; + } + ++static void cleanarg(char *str) ++{ ++#ifdef HAVE_WRITABLE_ARGV ++ /* now that GetStr has copied the contents of nextarg, wipe the next ++ * argument out so that the username:password isn't displayed in the ++ * system process list */ ++ if(str) { ++ size_t len = strlen(str); ++ memset(str, ' ', len); ++ } ++#else ++ (void)str; ++#endif ++} ++ + ParameterError getparameter(const char *flag, /* f or -long-flag */ + char *nextarg, /* NULL if unset */ ++ char *clearthis, + bool *usedarg, /* set to TRUE if the arg + has been used */ + struct GlobalConfig *global, +@@ -675,7 +690,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + break; + case 'B': /* OAuth 2.0 bearer token */ + GetStr(&config->oauth_bearer, nextarg); +- cleanarg(nextarg); ++ cleanarg(clearthis); + config->authtype |= CURLAUTH_BEARER; + break; + case 'c': /* connect-timeout */ +@@ -1637,6 +1652,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + case 'E': + switch(subletter) { + case '\0': /* certificate file */ ++ cleanarg(clearthis); + GetFileAndPassword(nextarg, &config->cert, &config->key_passwd); + break; + case 'a': /* CA info PEM file */ +@@ -1653,7 +1669,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + break; + case 'e': /* private key passphrase */ + GetStr(&config->key_passwd, nextarg); +- cleanarg(nextarg); ++ cleanarg(clearthis); + break; + case 'f': /* crypto engine */ + GetStr(&config->engine, nextarg); +@@ -1679,19 +1695,19 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + break; + case 'k': /* TLS username */ + if(!(curlinfo->features & CURL_VERSION_TLSAUTH_SRP)) { +- cleanarg(nextarg); ++ cleanarg(clearthis); + return PARAM_LIBCURL_DOESNT_SUPPORT; + } + GetStr(&config->tls_username, nextarg); +- cleanarg(nextarg); ++ cleanarg(clearthis); + break; + case 'l': /* TLS password */ + if(!(curlinfo->features & CURL_VERSION_TLSAUTH_SRP)) { +- cleanarg(nextarg); ++ cleanarg(clearthis); + return PARAM_LIBCURL_DOESNT_SUPPORT; + } + GetStr(&config->tls_password, nextarg); +- cleanarg(nextarg); ++ cleanarg(clearthis); + break; + case 'm': /* TLS authentication type */ + if(curlinfo->features & CURL_VERSION_TLSAUTH_SRP) { +@@ -1752,21 +1768,19 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + break; + + case 'u': /* TLS username for proxy */ ++ cleanarg(clearthis); + if(!(curlinfo->features & CURL_VERSION_TLSAUTH_SRP)) { +- cleanarg(nextarg); + return PARAM_LIBCURL_DOESNT_SUPPORT; + } + GetStr(&config->proxy_tls_username, nextarg); +- cleanarg(nextarg); + break; + + case 'v': /* TLS password for proxy */ ++ cleanarg(clearthis); + if(!(curlinfo->features & CURL_VERSION_TLSAUTH_SRP)) { +- cleanarg(nextarg); + return PARAM_LIBCURL_DOESNT_SUPPORT; + } + GetStr(&config->proxy_tls_password, nextarg); +- cleanarg(nextarg); + break; + + case 'w': /* TLS authentication type for proxy */ +@@ -1780,6 +1794,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + break; + + case 'x': /* certificate file for proxy */ ++ cleanarg(clearthis); + GetFileAndPassword(nextarg, &config->proxy_cert, + &config->proxy_key_passwd); + break; +@@ -1798,7 +1813,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + + case '1': /* private key passphrase for proxy */ + GetStr(&config->proxy_key_passwd, nextarg); +- cleanarg(nextarg); ++ cleanarg(clearthis); + break; + + case '2': /* ciphers for proxy */ +@@ -2246,12 +2261,12 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ + case 'u': + /* user:password */ + GetStr(&config->userpwd, nextarg); +- cleanarg(nextarg); ++ cleanarg(clearthis); + break; + case 'U': + /* Proxy user:password */ + GetStr(&config->proxyuserpwd, nextarg); +- cleanarg(nextarg); ++ cleanarg(clearthis); + break; + case 'v': + if(toggle) { +@@ -2424,11 +2439,19 @@ ParameterError parse_args(struct GlobalConfig *global, int argc, + following (URL) argument to start with -. */ + stillflags = FALSE; + else { +- char *nextarg = (i < (argc - 1)) +- ? curlx_convert_tchar_to_UTF8(argv[i + 1]) +- : NULL; ++ char *nextarg = NULL; ++ char *clear = NULL; ++ if(i < (argc - 1)) { ++ nextarg = curlx_convert_tchar_to_UTF8(argv[i + 1]); ++ if(!nextarg) { ++ curlx_unicodefree(orig_opt); ++ return PARAM_NO_MEM; ++ } ++ clear = argv[i + 1]; ++ } + +- result = getparameter(orig_opt, nextarg, &passarg, global, config); ++ result = getparameter(orig_opt, nextarg, clear, &passarg, ++ global, config); + curlx_unicodefree(nextarg); + config = global->last; + if(result == PARAM_NEXT_OPERATION) { +@@ -2466,7 +2489,7 @@ ParameterError parse_args(struct GlobalConfig *global, int argc, + bool used; + + /* Just add the URL please */ +- result = getparameter("--url", orig_opt, &used, global, ++ result = getparameter("--url", orig_opt, NULL, &used, global, + config); + } + +diff --git a/src/tool_getparam.h b/src/tool_getparam.h +index ef9833575..e35136123 100644 +--- a/src/tool_getparam.h ++++ b/src/tool_getparam.h +@@ -54,7 +54,8 @@ typedef enum { + struct GlobalConfig; + struct OperationConfig; + +-ParameterError getparameter(const char *flag, char *nextarg, bool *usedarg, ++ParameterError getparameter(const char *flag, char *nextarg, char *clearthis, ++ bool *usedarg, + struct GlobalConfig *global, + struct OperationConfig *operation); + +diff --git a/src/tool_paramhlp.c b/src/tool_paramhlp.c +index 71c738594..db0d0fb00 100644 +--- a/src/tool_paramhlp.c ++++ b/src/tool_paramhlp.c +@@ -116,21 +116,6 @@ ParameterError file2memory(char **bufp, size_t *size, FILE *file) + return PARAM_OK; + } + +-void cleanarg(char *str) +-{ +-#ifdef HAVE_WRITABLE_ARGV +- /* now that GetStr has copied the contents of nextarg, wipe the next +- * argument out so that the username:password isn't displayed in the +- * system process list */ +- if(str) { +- size_t len = strlen(str); +- memset(str, ' ', len); +- } +-#else +- (void)str; +-#endif +-} +- + /* + * Parse the string and write the long in the given address. Return PARAM_OK + * on success, otherwise a parameter specific error enum. +diff --git a/src/tool_paramhlp.h b/src/tool_paramhlp.h +index 297490b57..ec44e2df4 100644 +--- a/src/tool_paramhlp.h ++++ b/src/tool_paramhlp.h +@@ -31,8 +31,6 @@ ParameterError file2string(char **bufp, FILE *file); + + ParameterError file2memory(char **bufp, size_t *size, FILE *file); + +-void cleanarg(char *str); +- + ParameterError str2num(long *val, const char *str); + ParameterError str2unum(long *val, const char *str); + ParameterError oct2nummax(long *val, const char *str, long max); +diff --git a/src/tool_parsecfg.c b/src/tool_parsecfg.c +index a166757f8..34eb5daa9 100644 +--- a/src/tool_parsecfg.c ++++ b/src/tool_parsecfg.c +@@ -223,7 +223,7 @@ int parseconfig(const char *filename, struct GlobalConfig *global) + #ifdef DEBUG_CONFIG + fprintf(stderr, "PARAM: \"%s\"\n",(param ? param : "(null)")); + #endif +- res = getparameter(option, param, &usedarg, global, operation); ++ res = getparameter(option, param, NULL, &usedarg, global, operation); + operation = global->last; + + if(!res && param && *param && !usedarg) +-- +2.33.0 + diff --git a/curl.spec b/curl.spec index 066ac05..79308a8 100644 --- a/curl.spec +++ b/curl.spec @@ -6,7 +6,7 @@ Name: curl Version: 7.79.1 -Release: 19 +Release: 20 Summary: Curl is used in command lines or scripts to transfer data License: MIT URL: https://curl.haxx.se/ @@ -53,6 +53,11 @@ Patch38: backport-CVE-2023-28322.patch Patch39: backport-0001-CVE-2023-28320.patch Patch40: backport-0002-CVE-2023-28320.patch Patch41: backport-0003-CVE-2023-28320.patch +Patch42: backport-curl-tool-erase-some-more-sensitive-command-line-arg.patch +Patch43: backport-tool_getparam-repair-cleanarg.patch +Patch44: backport-tool_getparam-fix-cleanarg-for-unicode-builds.patch +Patch45: backport-getparam-correctly-clean-args.patch +Patch46: backport-tool_getparam-fix-hiding-of-command-line-secrets.patch BuildRequires: automake brotli-devel coreutils gcc groff krb5-devel BuildRequires: libidn2-devel libnghttp2-devel libpsl-devel @@ -221,6 +226,12 @@ rm -rf ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %changelog +* Mon Jun 19 2023 zhouyihang - 7.79.1-20 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:hide sensitive info in cmdline when ps + * Sat Jun 10 2023 zhouyihang - 7.79.1-19 - Type:bugfix - CVE:NA