From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 10 Aug 2021 08:26:16 +0000 (+0200)
Subject: TODO: erase secrets from heap/stack after use
X-Git-Tag: curl-7_79_0~138
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cfe36679d94f673a05d90ba3cd74da4a7efbac71;p=thirdparty%2Fcurl.git

TODO: erase secrets from heap/stack after use

Closes #7268
---

diff --git a/docs/TODO b/docs/TODO
index 83939c0b7f..d804eb6e15 100644
--- a/docs/TODO
+++ b/docs/TODO
@@ -46,6 +46,7 @@
  1.28 FD_CLOEXEC
  1.29 Upgrade to websockets
  1.30 config file parsing
+ 1.31 erase secrets from heap/stack after use
 
  2. libcurl - multi interface
  2.1 More non-blocking
@@ -433,6 +434,15 @@
 
  See https://github.com/curl/curl/issues/3698
 
+1.31 erase secrets from heap/stack after use
+
+ Introducing a concept and system to erase secrets from memory after use, it
+ could help mitigate and lessen the impact of (future) security problems etc.
+ However: most secrets are passed to libcurl as clear text from the
+ application and then clearing them within the library adds nothing...
+
+ https://github.com/curl/curl/issues/7268
+
 2. libcurl - multi interface
 
 2.1 More non-blocking