Micah Cowan wrote:
Matthew Woehlke wrote:
http://www.mail-archive.com/[email protected]/msg06979.html
Did this patch make it into the soon-to-be-released version (1.10.3?)? I
need to wget a webpage that wants authentication, and I don't want to
have to put it on disk or have it show up in 'ps'.
I can't find the message (with accompanying patch) that is referred to
by the message in that link. However, Mauro's response seemed to
indicate that he didn't like that particular method for telling wget to
prompt for password.
I'd agree with Mauro that the option should be --prompt-passwd or some such.
Ah, I see now, "the first patch" must have been something else.
At any rate, I don't believe the upcoming 1.11 release is going to
include a secure password prompt. I'm somewhat surprised that there
hasn't been one in all these years.
Adding such a feature will be one of my top priorities for the following
release.
Ok, thanks. I'll try to watch CVS (may even send you a patch), I
want/need it rather urgently (for a script that talks to a website that
didn't need authentication last time I used said script).
However, I won't hold the next release for such a change, as
we're just too close.
Understood. :-) Thanks for the quick reply!
I'm already going to be delaying the release a bit
for a couple of (higher-priority) security fixes that I simply would not
be comfortable releasing without--for instance, if you are uncomfortable
with the idea of putting your password on disk or in the process table,
how comfortable are you with the idea that in every version of wget up
until now, it sends that password in the clear, regardless of whether or
not the remote server is using cleartext password authentication (only
applies to http, not https, situations)?
Yes, I saw that thread. Alas, I often have to connect via telnet to
boxes that want the same password, so in that sense I'm rather already
screwed.
--
Matthew
ESIG: .sig file not available
