Added by Robin Green on 2008-12-24. ALL TEXT BELOW BY ROBIN GREEN:
My password was displayed in an error message. If someone had been looking over my shoulder at the time, they might have been able to learn my Twitter password.
The error message looks like this:
curl: (35) SSL connect error
twidge: user error (("curl",["-A","twidge v1.0.0; Haskell; GHC","-s","-S","-L","-y","60","-Y","1","--retry","2","-f","--user","greenrd:PASSWORD","https://twitter.com/statuses/friends_timeline.xml?page=1"]): exited with code 35)
(I have replaced my password with PASSWORD above.)
A related problem is that on Linux, my Twitter password would be obtainable by another user on the system if they were able to examine /proc while curl was running (which is possible). I think the right way to avoid both of these problems is to avoid passing the password on the command line.
One way to do this would be to ask the user to put their authentication information in $HOME/.curlrc, instead of in a configuration file specific to twidge.
From http://software.complete.org/software/issues/show/122
Added by Robin Green on 2008-12-24. ALL TEXT BELOW BY ROBIN GREEN:
My password was displayed in an error message. If someone had been looking over my shoulder at the time, they might have been able to learn my Twitter password.
The error message looks like this:
curl: (35) SSL connect error twidge: user error (("curl",["-A","twidge v1.0.0; Haskell; GHC","-s","-S","-L","-y","60","-Y","1","--retry","2","-f","--user","greenrd:PASSWORD","https://twitter.com/statuses/friends_timeline.xml?page=1"]): exited with code 35)
(I have replaced my password with PASSWORD above.)
A related problem is that on Linux, my Twitter password would be obtainable by another user on the system if they were able to examine /proc while curl was running (which is possible). I think the right way to avoid both of these problems is to avoid passing the password on the command line.
One way to do this would be to ask the user to put their authentication information in $HOME/.curlrc, instead of in a configuration file specific to twidge.