curl/backport-tool_getparam-fix-hiding-of-command-line-secrets.patch

From 2ed0e1f70ee176edf3d2292ab01201eb6baf86b3 Mon Sep 17 00:00:00 2001
From: Harry Sintonen <sintonen@iki.fi>
Date: Wed, 11 Jan 2023 11:39:33 +0100
Subject: [PATCH] tool_getparam: fix hiding of command line secrets

Closes #10276
---
 src/tool_getparam.c | 14 ++++++++------
 src/tool_getparam.h |  1 +
 src/tool_parsecfg.c |  2 +-
 3 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index 68bc83223..bb4303a8c 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -660,6 +660,7 @@ static ParameterError data_urlencode(struct GlobalConfig *global,
 
 ParameterError getparameter(const char *flag, /* f or -long-flag */
                             char *nextarg,    /* NULL if unset */
+                            argv_item_t cleararg,
                             bool *usedarg,    /* set to TRUE if the arg
                                                  has been used */
                             struct GlobalConfig *global,
@@ -764,15 +765,16 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
       /* this option requires an extra parameter */
       if(!longopt && parse[1]) {
         nextarg = (char *)&parse[1]; /* this is the actual extra parameter */
-#ifdef HAVE_WRITABLE_ARGV
-        clearthis = nextarg;
-#endif
         singleopt = TRUE;   /* don't loop anymore after this */
       }
       else if(!nextarg)
         return PARAM_REQUIRES_PARAMETER;
-      else
+      else {
+#ifdef HAVE_WRITABLE_ARGV
+        clearthis = cleararg;
+#endif
         *usedarg = TRUE; /* mark it as used */
+      }
 
       if((aliases[hit].desc == ARG_FILENAME) &&
          (nextarg[0] == '-') && nextarg[1]) {
@@ -2494,7 +2496,7 @@ ParameterError parse_args(struct GlobalConfig *global, int argc,
           }
         }
 
-        result = getparameter(orig_opt, nextarg, &passarg,
+        result = getparameter(orig_opt, nextarg, argv[i + 1], &passarg,
                               global, config);
         curlx_unicodefree(nextarg);
         config = global->last;
@@ -2533,7 +2535,7 @@ ParameterError parse_args(struct GlobalConfig *global, int argc,
       bool used;
 
       /* Just add the URL please */
-      result = getparameter("--url", orig_opt, &used, global, config);
+      result = getparameter("--url", orig_opt, argv[i], &used, global, config);
     }
 
     if(!result)
diff --git a/src/tool_getparam.h b/src/tool_getparam.h
index 677ce8e5f..827a04e81 100644
--- a/src/tool_getparam.h
+++ b/src/tool_getparam.h
@@ -55,6 +55,7 @@ struct GlobalConfig;
 struct OperationConfig;
 
 ParameterError getparameter(const char *flag, char *nextarg,
+                            argv_item_t cleararg,
                             bool *usedarg,
                             struct GlobalConfig *global,
                             struct OperationConfig *operation);
diff --git a/src/tool_parsecfg.c b/src/tool_parsecfg.c
index ffc19fdf0..50d03f666 100644
--- a/src/tool_parsecfg.c
+++ b/src/tool_parsecfg.c
@@ -223,7 +223,7 @@ int parseconfig(const char *filename, struct GlobalConfig *global)
 #ifdef DEBUG_CONFIG
       fprintf(stderr, "PARAM: \"%s\"\n",(param ? param : "(null)"));
 #endif
-      res = getparameter(option, param, &usedarg, global, operation);
+      res = getparameter(option, param, NULL, &usedarg, global, operation);
       operation = global->last;
 
       if(!res && param && *param && !usedarg)
-- 
2.33.0