Use of obsolete function getpass
Description
The getpass function is obsolete and not portable. It was in SUSv2 but removed by POSIX.2. What it does exactly varies considerably between systems, particularly in where its prompt is displayed and where it gets its data. Some systems will write to stderr instead of stdout. Some will read from stdin if it can not be read from /dev/tty. In some systems the buffer is static and limited to 127 characters, meaning the full password may not be returned properly.
Examples
Insecure Code
c
char *password = getpass("Enter password: ");Secure Code
c
struct termios oldt, newt; tcgetattr(STDIN_FILENO, &oldt); newt = oldt; newt.c_lflag &= ~(ICANON | ECHO); tcsetattr(STDIN_FILENO, TCSANOW, &newt); printf("Enter password: "); fgets(password, 128, stdin); tcsetattr(STDIN_FILENO, TCSANOW, &oldt);Remediation
Use a secure alternative to read input without terminal echoing enabled, such as the ECHO flag in the termios manual pager, and zero the password as soon as possible to avoid leaving the cleartext password visible in the process' address space.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0602 |
| Category | InsecureConfig |
| Severity | LOW |
| CWE | CWE-477 |
| Confidence | HIGH |
| Impact | LOW |
| Likelihood | LOW |
| Exploitability | COMPLEX |
| Tags | obsolete function, portability issue |
| OWASP | A9:2017-Using Components with Known Vulnerabilities, A06:2021-Vulnerable and Outdated Components |