[svn] url.c (str_url): Henrik van Ginhoven pointed out on the list that we shouldn't

give away the number of characters in the password by replacing each character
with a 'x'.  Use "<password>" instead.

diff --git a/src/ChangeLog b/src/ChangeLog
index 064e72f5c0e7e5f7e77a1bf0a403f0c9f80dc774..718bb8eb19a78f1dcbd613a3972e45d96bd1cd6c 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -5,6 +5,9 @@
        it into this new file, to fix spelling mistakes, to clarify, etc.
 
        * url.c (write_backup_file): Clarified a comment.
+       (str_url): Henrik van Ginhoven pointed out on the list that we
+       shouldn't give away the number of characters in the password by
+       replacing each character with a 'x'.  Use "<password>" instead.
 
        * ftp.c (ftp_retrieve_dirs): I don't see a ChangeLog entry for
        this, but the bug where recursion into FTP directories didn't work

diff --git a/src/url.c b/src/url.c
index cf3e2b231927dfd23e3ddb57a19828b319246189..747fb7be068bdf32f263459af1b7d3de7bdb4d71 100644 (file)
--- a/src/url.c
+++ b/src/url.c
@@ -688,11 +688,14 @@ str_url (const struct urlinfo *u, int hide)
     user = CLEANDUP (u->user);
   if (u->passwd)
     {
-      int j;
-      passwd = CLEANDUP (u->passwd);
       if (hide)
-       for (j = 0; passwd[j]; j++)
-         passwd[j] = 'x';
+       /* Don't output the password, or someone might see it over the user's
+          shoulder (or in saved wget output).  Don't give away the number of
+          characters in the password, either, as we did when we replaced the
+          password characters with 'x's. */
+       passwd = "<password>";
+      else
+       passwd = CLEANDUP (u->passwd);
     }
   if (u->proto == URLFTP && *dir == '/')
     {