I am in the process of working through a security audit of software that is statically linked with libcurl. The security audit is being done using Veracode's static analysis engine (www.veracode.com). Veracode is flagging code in libcurl where the connection password (conn->passwd) and proxy password (proxyinfo->passwd) are set with the warning that they are stored in plain text. The security concern with this is described by CWE ID 316 (https://cwe.mitre.org/data/definitions/316.html ). My questions regarding these findings are: * Has anyone done something similar? If so, how did you resolve the situation to pass the security audit? * Is this something likely to be resolved/addressed by the maintainers of this project?
Thank you. Michael ------------------------------------------------------------------- Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
