Skip to content

CURLINFO_TEXT data can include sensitive headers #17353

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
JulesRapanga opened this issue May 15, 2025 · 1 comment
Closed

CURLINFO_TEXT data can include sensitive headers #17353

JulesRapanga opened this issue May 15, 2025 · 1 comment

Comments

@JulesRapanga
Copy link

I did this

Enabled verbose logging and set CURLOPT_DEBUGFUNCTION. As I didn't want to log sensitive data or headers I only logged the data from CURLINFO_TEXT callbacks, not CURLINFO_HEADER_IN or CURLINFO_HEADER_OUT.

I later discovered that the HTTP/2 module logs transmitted headers as CURLINFO_TEXT.

I expected the following

Either headers shouldn't be logged as CURLINFO_TEXT or the documentation for CURLOPT_DEBUGFUNCTION should be updated with a warning.

curl/libcurl version

curl 8.12.1

operating system

Ubuntu Noble
bagder added a commit that referenced this issue May 15, 2025
@bagder
docs/libcurl: mention sensitive data/headers
ec156d5 
In the CURLOPT_DEBUGFUNCTION and CURLOPT_VERBOSE documentation.

Mentioned-by: Gordon Parke
Fixes #17353
@bagder bagder mentioned this issue May 15, 2025
Closed
@bagder
Copy link
Member

bagder commented May 15, 2025

See #17355 for my proposed documentation update.

@bagder bagder closed this as completed in b4310c0 May 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

docs/libcurl: mention sensitive data/headers curl/curl
2 participants
@bagder @JulesRapanga
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy