[Bug 16282] New: wget: Allow hiding secrets and credentials from OS process list

[bugzilla at busybox.net]

https://bugs.busybox.net/show_bug.cgi?id=16282

            Bug ID: 16282
           Summary: wget: Allow hiding secrets and credentials from OS
                    process list
           Product: Busybox
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Networking
          Assignee: unassigned at busybox.net
          Reporter: bugs.busybox.net at hardfalcon.net
                CC: busybox-cvs at busybox.net
  Target Milestone: ---

As of busybox 1.37.0, AFAICT the only way for specifying additional HTTP
headers seems to be the --header CLI parameter. This is a problem when passing
credentials such as passwords or access tokens, because all CLI parameters end
up in the system wide process list and are therefore accessible for all users
and processes on the local system.

In GNU wget, this problem can be circumvented by using the WGETRC environment
variable and by creating an ephemeral .wgetrc file with a line such as the
following:

header = Some_header: Some_value

In curl, the problem can be circumvented in a similar way by either using the
--config CLI parameter, or by using --header @some_file.

The most compatible way of solving this would probably be adding support for
the WGETRC environment variable and the .wgetrc config file, but of course I'd
be happy about any way/hint to solve or sidestep this problem. :)

-- 
You are receiving this mail because:
You are on the CC list for the bug.