#945126 wget --use-askpass exposes password to terminal

Package:
wget
Source:
wget
Description:
retrieves files from the web
Submitter:
martin f krafft
Date:
2019-11-20 09:21:05 UTC
Severity:
important
#945126#5
Date:
2019-11-20 09:17:57 UTC
From:
To:
% echo -e '#!/bin/sh\necho user:s3cr3t' > /tmp/askpass
% chmod +x /tmp/askpass
% wget --use-askpass=/tmp/askpass https://debian.org
--2019-11-20 22:14:24--  https://user%3As3cr3t:*password*@debian.org/
                                 ^^^^^^^^^^^^^^^^^^^^^^^^
There seems to be a bug here, possibly related to the output of the askpass
script being HTML-encoded too early.

HTTP basic auth still works (though not on debian.org, but I've
tried it on other sites).