reassign 624573 libcurl3-gnutls 7.21.0-1 retitle 624573 errorbuffer message includes user/password thanks
Hi *, in case of error, apt-transport-https prints the error message gathered with CURL_ERRORBUFFER. If we have an unresolvable host the message in stable (with libcurl3-gnutls 7.21.0) is as follows: Couldn't resolve host 'example.org:[email protected]' As you can see here, it includes username and password. Even further, the username is garbled as the username is in reality: [email protected] -- so the 'me@' is cut off. (It's not really a security issue in my eyes, as the user who can see this message can easily also look up the files himself, but on the other hand it is not really useful to include here - especially not broken.) You can reproduce this by installing apt-transport-https and $ mkdir -p /tmp/apt/lists $ cd /tmp/apt $ cat test.list deb https://unresolvable.debian.org/debian/ squeeze main $ cat auth.conf machine unresolvable.debian.org login [email protected] password secret $ LANG=C apt-get update -o dir::etc::sourcelist=/tmp/apt/test.list -o dir::etc::sourceparts=/dev/null -o dir::etc::netrc=/tmp/apt/auth.conf -o dir::state::lists=/tmp/apt/lists -s Also interesting, if i move back to the current unstable version of libcurl3-gnutls (7.21.6-1) i am getting a different error: Failed to connect to 2620:0:2d0:200::10: Network is unreachable If i remove the 'me@' part from auth.conf the message is Couldn't resolve host 'unresolvable.debian.org' So, for newer versions username and password seems to get removed from the error message, but it seems to be still confused by the @. Best regards David Kalnischkies P.S.: Sorry, i have no https setup currently to test if it would work if the host wouldn't be unresolvableā¦ -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
