back to article Open-source devs: Wget off your bloated festive behinds and patch this user cred-blabbing bug

Happy New Year! Oh, and if you include GNU's wget utility in software you write, pull down the new version released on Boxing Day and push out updates to your users. The popular utility retrieves internet-hosted HTTP/HTTPS and FTP/FTPS content and some years ago began storing extended attributes on disk as URIs. On Christmas …

  1. DJ Smiley

    Surely it's not a bug, but something that should be noted

    After all, if you're doing the wget - you already know the URI and any information it holds.

    As for "Hector Martin tweeted that the stored information survives being moved to a different filesystem, so someone wanting to steal stored URLs from can move it from the target's hard drive to a USB key with no trouble."

    So? If the attacker has access to my local file system, I'm already compromised, and if I send them files blindly, I'm an idiot.

    1. Pascal Monett Silver badge

      Agreed, this is no bug. This is a functionality that was implemented in a time when password security was not even thought about in any serious way.

      The fact that the new version no longer uses this functionality means the developers have wisened up.

      The fact that said new version is brand new means nobody worried about it before 2018 - which is way too late in my opinion.

  2. DCFusor Silver badge
    WTF?

    From where

    Did a password come to be available for wget to store? Haven't used it much, but none of the things I've used it for asked me for a password at all, nor was there one on the command line I copy/pasted to get say, a perl CGI wrapper for NGINX from ... the NGINX site. Legit question? Is there any widespread use of wget that does somehow hand it a password ? Just read as much of the man page as I could handle on an empty stomach and saw no mention of a pword, and as far as I know, user level privilege programs on linux (which I'm running) can't get my user's password either.

    1. Phil Endecott Silver badge

      Re: From where

      You can include username and password in the URL you give to wget, using the syntax http://user:pw@host/path

      1. DCFusor Silver badge

        Re: From where

        Thanks! As I get lazy when it's time to RTFM and all I have is the man command, I wrote a little script to convert man pages to .pdf files so I can search them - which took less time to do and find that out than I'd already spent in the man command - which is pretty clunky. I shared the little script here:

        http://www.coultersmithing.com/forums/viewtopic.php?f=33&p=6598#p6598

        Yes, pdf is a horrible format with all kinds of dangers of its own, but it'd seem most or all of those are from malformed pdf files with executable code in them - not an issue here. The default font is also easier on the eyes in most pdf readers than the one the terminal uses.

        I'm building up a few of these in a directory on my homestead share for the more hassleiferous man pages (think systemd stuff...rsync, other complex stuff you don't use every day).

        1. Phil Endecott Silver badge

          Re: From where

          Seriously?

          You can search in man by pressing /

          You can see man pages with better typography using xman.

          1. Gene Cash Silver badge

            Re: From where

            ... if xman wasn't such a POS:

            $ xman wget

            This argument is unknown to Xman: wget

            Seriously?

          2. DCFusor Silver badge

            Re: From where

            I just tried that /, and while it works, talk about obscure linux trivia (some terminal emulators have issues scrolling back or seeing a lot of a page at a time as well) - speaking of the problem I was trying to solve.

            Try typing in /search or just // It's entertaining, I'll give you that. Seriously, nice way to respond to "thanks".

            Some of us have things to do other than read man pages for decades on end. If man needs a man page (I know, it has one), then....people who think that's cool are why not many of us have linux on the desktop or as our daily driver (I only account for 15 or so machines running it. Since around y2k plus a couple).

            PDF cleans its clock. Downvote away...

            I'm wondering why whoever downvoted my first comment did it. Are there really a bunch of common uses for wget with a password? If so, how many hardcode that password in some script so are security bugs themselves? All of them? Who types a command line that long? I've been at this quite some time (see my site) - and I don't, and I LIKE CLI stuff.

            Does anyone use the ssl key stuff instead? If not, why not? I didn't mean to start a flame war, but holy cow, what a bunch of flak from a simple question of "why TF do that anyway?".

            1. pmb00cs

              Re: From where

              It's not just command line usage of wget, wget can be used as a library for other programs to fetch files off the internet. If the resource being fetched is behind a login the details needed to authenticate access to that resource need to be passed to the wget processes somehow. That can be done by prepending the domain with "user:pw" in the URL or by including auth tokens in the query string at the end of the URL. Both of these could be considered sensitive data that should probably not be arbitrarily stored on disk unprotected. So any program, or script, that relies on wget could be effected by this bug.

              It is worth noting that chromium is also effected by a very similar bug, and that is not an easy program to use on the command line.

  3. Anonymous Coward
    Anonymous Coward

    'tis the season

    I too getfattr 'round the holidays

    Sorry, I'll get my coat. (it's the one with the distressed buttons.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019