If these changes to the documentation look good, I'll turn it into a
complete patch and push it.
On Tue, Aug 18, 2015 at 8:15 PM, Darshit Shah <[email protected]> wrote:
> Update of bug #45732 (project wget):
>
> Status: Invalid => Needs Discussion
>
> _______________________________________________________
>
> Follow-up Comment #3:
>
> That makes more sense. However, there's more than one way of doing this.
>
> Wget also supports reading from a user's netrc file. If we start mentioning
> everything in there, the section will quickly degenerate into a different
> topic. This is mentioned as a footnote.
>
> I think could however add a note there asking the user to refer to se3ction
> 2.5 which contains more information about password handling. Maybe, if someone
> is willing, we can also have an entire section on password handling mechanisms
> and workarounds.
>
> _______________________________________________________
>
> Reply to this item at:
>
> <http://savannah.gnu.org/bugs/?45732>
>
> _______________________________________________
> Message sent via/by Savannah
> http://savannah.gnu.org/
>
--
Thanking You,
Darshit Shah
diff --git i/doc/wget.texi w/doc/wget.texi
index d2ff7dc..e9bf48b 100644
--- i/doc/wget.texi
+++ w/doc/wget.texi
@@ -279,16 +279,15 @@ Either @var{user} or @var{password}, or both, may be left
out. If you
leave out either the @sc{http} username or password, no authentication
will be sent. If you leave out the @sc{ftp} username, @samp{anonymous}
will be used. If you leave out the @sc{ftp} password, your email
-address will be supplied as a default password.@footnote{If you have a
-@file{.netrc} file in your home directory, password will also be
-searched for there.}
+address will be supplied as a default password.
@strong{Important Note}: if you specify a password-containing @sc{url}
on the command line, the username and password will be plainly visible
to all users on the system, by way of @code{ps}. On multi-user systems,
this is a big security risk. To work around it, use @code{wget -i -}
and feed the @sc{url}s to Wget's standard input, each on a separate
-line, terminated by @kbd{C-d}.
+line, terminated by @kbd{C-d}. Please refer to @xref{Security Considerations}
+for more information.
You can encode unsafe characters in a @sc{url} as @samp{%xy}, @code{xy}
being the hexadecimal representation of the character's @sc{ascii}
@@ -4109,6 +4108,12 @@ Wget's standard input, each on a separate line,
terminated by @kbd{C-d}.
Another workaround is to use @file{.netrc} to store passwords; however,
storing unencrypted passwords is also considered a security risk.
+If non-interactive behaviour is not an absolute requirement, it is also
possible
+to pass the @code{--ask-password} option to Wget. This option will block Wget
+waiting for user input from @file{stdin} via GNU Getpass. However, one must
+remember that this option will not work well when Wget is invoked from
automated
+scripts or as a background process.
+
@item
Using the insecure @dfn{basic} authentication scheme, unencrypted
passwords are transmitted through the network routers and gateways.
