From 1993e140f268ade8043cd9447377cc24b1dc9ce6 Mon Sep 17 00:00:00 2001 From: dan Date: Tue, 9 Jan 2001 20:30:43 -0800 Subject: [PATCH] [svn] url.c (str_url): Henrik van Ginhoven pointed out on the list that we shouldn't give away the number of characters in the password by replacing each character with a 'x'. Use "" instead. --- src/ChangeLog | 3 +++ src/url.c | 11 +++++++---- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/src/ChangeLog b/src/ChangeLog index 064e72f5..718bb8eb 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -5,6 +5,9 @@ it into this new file, to fix spelling mistakes, to clarify, etc. * url.c (write_backup_file): Clarified a comment. + (str_url): Henrik van Ginhoven pointed out on the list that we + shouldn't give away the number of characters in the password by + replacing each character with a 'x'. Use "" instead. * ftp.c (ftp_retrieve_dirs): I don't see a ChangeLog entry for this, but the bug where recursion into FTP directories didn't work diff --git a/src/url.c b/src/url.c index cf3e2b23..747fb7be 100644 --- a/src/url.c +++ b/src/url.c @@ -688,11 +688,14 @@ str_url (const struct urlinfo *u, int hide) user = CLEANDUP (u->user); if (u->passwd) { - int j; - passwd = CLEANDUP (u->passwd); if (hide) - for (j = 0; passwd[j]; j++) - passwd[j] = 'x'; + /* Don't output the password, or someone might see it over the user's + shoulder (or in saved wget output). Don't give away the number of + characters in the password, either, as we did when we replaced the + password characters with 'x's. */ + passwd = ""; + else + passwd = CLEANDUP (u->passwd); } if (u->proto == URLFTP && *dir == '/') {