Am 20.03.2026 um 07:30 hat [email protected] geschrieben:
> From: GuoHan Zhao <[email protected]>
>
> When password-secret is used, curl_open() resolves it with
> qcrypto_secret_lookup_as_utf8() and stores the returned buffer in
> s->password.
>
> Unlike s->proxypassword, s->password is not freed either in the open
> failure path or in curl_close(), so the resolved secret leaks once it
> has been allocated.
>
> Free s->password in both cleanup paths.
>
> Signed-off-by: GuoHan Zhao <[email protected]>
Fixes: 1bff96064290 ('curl: add support for HTTP authentication parameters')
Thanks, applied to the block branch.
Kevin
