0

I have the following curl command which works perfectly fine:

curl --silent --location -cookie "$COOKIE" --cookie-jar "$COOKIE" \
--form 'username=xxx' --form 'password=yyy' 'http://example.com'

It logs into site http://example.com posting a form with variable names username and password.

Problem is: I do not want to pass the password in clear.

I have also tried to save the password in a file called passwd in the working directory (chmod 600 passwd) and used the following curl command (this is why I used --form instead of --data, which would have been worked fine with the password in clear), however, it does not work:

curl --silent --location -cookie "$COOKIE" --cookie-jar "$COOKIE" \
--form 'username=xxx' --form 'password=<passwd' 'http://example.com'

Any suggestion about how to solve this?

Regards, Stefano

stx73
  • 15
  • 1
  • 4

3 Answers3

1

Hans Z. answer to use environmental variable is correct in my opinion. Though I might just add that in bash you could use read command, which would prompt for password and not make it visible in history.

So the usage would look like this

$ read -s PASSWD  # -s is there so the characters you type don't show up
$ curl --silent --location -cookie "$COOKIE" --cookie-jar "$COOKIE" \
--form 'username=xxx' --form "password=${PASSWD}" 'http://example.com'

UPDATE:

Another solution found in the comments is to use curl's --data-urlencode name@filename argument. Quoting the manpage:

name@filename This will make curl load data from the given file (including any newlines), URL-encode that data and pass it on in the POST.

And the final command looked like

$ curl --silent --location -cookie "$COOKIE" --cookie-jar "$COOKIE" \
--data 'username=xxx' --data-urlencode "password@passwd" 'http://example.com'
Jakub
  • 772
  • 7
  • 19
  • Thanks for the quick replies. I forgot to metion that I would like to schedule the curl command in cron, so using an environmental variable would not help, because I do not want to put `export PASSWD=secret` in front of the cron command in the crontab file. – stx73 Oct 03 '15 at 19:57
  • Why not make it something like this then? `PASSWD=$(cat path-to-file-with-your-password); cron ... --form "password=$PASSWD" ...` (it's formatting badly, everything should be in one line) – Jakub Oct 03 '15 at 20:11
  • @stx73 - you can set a permanent environmental variable, you don't have to do export every time. – I wrestled a bear once. Oct 03 '15 at 20:18
  • It definitely works, however, I would consider the solution `--form 'password=`? Like `--form 'password='`, and in case, which ? I would like to make it working; adding `--trace-ascii -` to the curl command shows that the password is read from the _passwd_ file, but it does not work in the end. – stx73 Oct 03 '15 at 20:22
  • It's weird it doesn't substitute the contents of a file. Maybe try this `curl --data-urlencode "password@passwd"` – Jakub Oct 03 '15 at 20:53
  • Thanks @jakub, it works now: `curl --silent --location -cookie "$COOKIE" --cookie-jar "$COOKIE" --data 'username=xxx' --data-urlencode "password@passwd" 'http://example.com'` only thing, password in passwd must be stored _without_ '`\n`'... – stx73 Oct 04 '15 at 08:32
0

Set the password in an environment variable, e.g. export PASSWD=secret and use it in --form "password=${PASSWD}".

Hans Z.
  • 50,496
  • 12
  • 102
  • 115
0

Passing secrets in command line is insecure as they are available in process list.

You should use the --data-urlencode name@filename approach

                 This will make curl load data from the given file
                 (including any newlines), URL-encode that data and
                 pass it on in the POST.

or -K, --config <file>

          Specify a text file to read curl arguments from. The
          command line arguments found in the text file will be used
          as if they were provided on the command line.

See also this anwser

Jakub Bochenski
  • 3,113
  • 4
  • 33
  • 61