Discussion:
Suggestion: -H from a file...
Timothe Litt
2017-05-15 12:57:06 UTC
Permalink
I had reason to use curl to interact with a service that requires a
secret key in
a (proprietary) authorization header.

As far as I can tell, the only way to specify the header is with -H,
which works.

But it has the unfortunate side-effect of showing up in a 'ps' listing
since it's on
the command line. This can reveal the authorization secrets to other system
users, which is not good.

--config might be a work-around, but would require finding and merging the
'real' curlrc into a temporary file - and securing that..

Suggestion: add a way to specify -H from a file, perhaps -***@filespec as is
provided for-d & friends? This would also make it
easy to put
multiple headers into an @file. And @- would
allow a HERE
document to be used in a script.

Thanks for your consideration.
--
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.



-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/et
Daniel Stenberg
2017-05-15 13:03:49 UTC
Permalink
provided for -d & friends?
I like this idea!
--
/ daniel.haxx.se
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.hax
Nick Chambers
2017-05-15 13:55:29 UTC
Permalink
On 5/15/17, 8:03 AM, "curl-users on behalf of Daniel Stenberg"
Post by Daniel Stenberg
provided for -d & friends?
I like this idea!
--
/ daniel.haxx.se
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
In the meantime, you can do something like `curl -H "$(cat
.secret_auth_token)" ...` or something like that. It's not a cURL
solution, but provides a workaround until your idea can be implemented.


-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https
Kamil Dudka via curl-users
2017-05-15 14:20:44 UTC
Permalink
Post by Nick Chambers
On 5/15/17, 8:03 AM, "curl-users on behalf of Daniel Stenberg"
Post by Daniel Stenberg
as is
provided for -d & friends?
I like this idea!
In the meantime, you can do something like `curl -H "$(cat
.secret_auth_token)" ...` or something like that. It's not a cURL
solution, but provides a workaround until your idea can be implemented.
I am afraid this is not going to help because command substitution gets
evaluated before executing curl. Consequently, the secret can still be
seen in the output of 'ps' as long as curl is running.

Kamil
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquett
Nick Chambers
2017-05-15 14:49:46 UTC
Permalink
Post by Kamil Dudka via curl-users
Post by Nick Chambers
On 5/15/17, 8:03 AM, "curl-users on behalf of Daniel Stenberg"
Post by Daniel Stenberg
as is
provided for -d & friends?
I like this idea!
In the meantime, you can do something like `curl -H "$(cat
.secret_auth_token)" ...` or something like that. It's not a cURL
solution, but provides a workaround until your idea can be implemented.
I am afraid this is not going to help because command substitution gets
evaluated before executing curl. Consequently, the secret can still be
seen in the output of 'ps' as long as curl is running.
Kamil
My apologies... Too early :D. Need to grab some coffee


-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: htt
c***@recursor.net
2017-05-15 16:29:14 UTC
Permalink
Post by Kamil Dudka via curl-users
Post by Nick Chambers
On 5/15/17, 8:03 AM, "curl-users on behalf of Daniel Stenberg"
Post by Daniel Stenberg
as is
provided for -d & friends?
I like this idea!
In the meantime, you can do something like `curl -H "$(cat
.secret_auth_token)" ...` or something like that. It's not a cURL
solution, but provides a workaround until your idea can be implemented.
I am afraid this is not going to help because command substitution gets
evaluated before executing curl. Consequently, the secret can still be
seen in the output of 'ps' as long as curl is running.
Kamil
You can use ‘expect’ to provide passwords “interactively” in batch scripts.
Your expect-script would read from the file. (You should at least limit
accessibility of that file.) You could then provide the user-name on the curl
command-line, and provide the password from your script, or don’t provide
command-line user, and provide both user and password from your script.

Jeff



-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/e
Kamil Dudka via curl-users
2017-05-16 08:32:47 UTC
Permalink
Post by c***@recursor.net
On May 15, 2017, at 8:20 AM, Kamil Dudka via curl-users -
Post by Nick Chambers
On 5/15/17, 8:03 AM, "curl-users on behalf of Daniel Stenberg"
Post by Daniel Stenberg
as is
provided for -d & friends?
I like this idea!
In the meantime, you can do something like `curl -H "$(cat
.secret_auth_token)" ...` or something like that. It's not a cURL
solution, but provides a workaround until your idea can be implemented.
I am afraid this is not going to help because command substitution gets
evaluated before executing curl. Consequently, the secret can still be
seen in the output of 'ps' as long as curl is running.
Kamil
You can use ‘expect’ to provide passwords “interactively” in batch scripts.
Your expect-script would read from the file. (You should at least limit
accessibility of that file.) You could then provide the user-name on the
curl command-line, and provide the password from your script, or don’t
provide command-line user, and provide both user and password from your
script.
I do not believe it would help either. As long as the curl tool gets the
"secret" headers by a command-line argument, which is the only choice at
the moment, it is observable from outside while curl is running.

If you still think it would work, please clarify how the data would be
transferred from 'expect' to 'curl' in a safe way.

Kamil
Post by c***@recursor.net
Jeff
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail
Daniel Stenberg
2017-05-16 08:38:23 UTC
Permalink
Post by Kamil Dudka via curl-users
I do not believe it would help either. As long as the curl tool gets the
"secret" headers by a command-line argument, which is the only choice at the
moment, it is observable from outside while curl is running.
It could probably be done by a script or something that pipes the secret
header as a -H command line option on stdout that gets read with curl's
--config / -K, similar to this:

$ ./generate_secret.sh | curl -K- http://example.com/
--
/ daniel.haxx.se
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.h
Kamil Dudka via curl-users
2017-05-16 08:53:31 UTC
Permalink
Post by Daniel Stenberg
Post by Kamil Dudka via curl-users
I do not believe it would help either. As long as the curl tool gets the
"secret" headers by a command-line argument, which is the only choice at
the moment, it is observable from outside while curl is running.
It could probably be done by a script or something that pipes the secret
header as a -H command line option on stdout that gets read with curl's
$ ./generate_secret.sh | curl -K- http://example.com/
Indeed. I did not realize that 'curl --config' can read any command-line
option from the standard input (or a file). Then it really has a solid
workaround...

Kamil
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail

Daniel Stenberg
2017-05-15 14:38:12 UTC
Permalink
provided for -d & friends?
Here's a first shot:

https://github.com/curl/curl/pull/1486
--
/ daniel.haxx.se
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etique
Ray Satiro via curl-users
2017-05-15 19:19:00 UTC
Permalink
Post by Timothe Litt
I had reason to use curl to interact with a service that requires a
secret key in
a (proprietary) authorization header.
As far as I can tell, the only way to specify the header is with -H,
which works.
But it has the unfortunate side-effect of showing up in a 'ps' listing
since it's on
the command line. This can reveal the authorization secrets to other system
users, which is not good.
--config might be a work-around, but would require finding and merging the
'real' curlrc into a temporary file - and securing that..
Even if you use --config [1] curl will still read from the default curlrc.


[1]: https://curl.haxx.se/docs/manpage.html#-K



-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette:
Loading...