jgoerzen
commented
14 years ago No longer uses Curl as of 4ed1f58e3d3741ed5f0a820163f72b08da17fd41 so this is fixed.
Closed jgoerzen closed 14 years ago
jgoerzen
commented
14 years ago No longer uses Curl as of 4ed1f58e3d3741ed5f0a820163f72b08da17fd41 so this is fixed.
From http://software.complete.org/software/issues/show/122
Added by Robin Green on 2008-12-24. ALL TEXT BELOW BY ROBIN GREEN:
My password was displayed in an error message. If someone had been looking over my shoulder at the time, they might have been able to learn my Twitter password.
The error message looks like this:
curl: (35) SSL connect error twidge: user error (("curl",["-A","twidge v1.0.0; Haskell; GHC","-s","-S","-L","-y","60","-Y","1","--retry","2","-f","--user","greenrd:PASSWORD","https://twitter.com/statuses/friends_timeline.xml?page=1"]): exited with code 35)
(I have replaced my password with PASSWORD above.)
A related problem is that on Linux, my Twitter password would be obtainable by another user on the system if they were able to examine /proc while curl was running (which is possible). I think the right way to avoid both of these problems is to avoid passing the password on the command line.
One way to do this would be to ask the user to put their authentication information in $HOME/.curlrc, instead of in a configuration file specific to twidge.