Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Privacy Leakage: feed password may be revealed in output #1224

Closed
cdrnet opened this issue Nov 16, 2015 · 4 comments
Closed

Privacy Leakage: feed password may be revealed in output #1224

cdrnet opened this issue Nov 16, 2015 · 4 comments

Comments

@cdrnet
Copy link
Member

cdrnet commented Nov 16, 2015

When paket fails it may leak the user's password in the output:

Paket failed with:
        Could not find versions for package SomePackageName in any of the sources in [Nuget
   {Url =
     "https://feed-url";
    Authentication = Some (ConfigAuthentication ("user name","actual password"));}].

We may want to skip printing the actual password there.
@forki
Copy link
Member

forki commented Nov 16, 2015

Yes we need to implement tostring for the Auth type. Care to send a PR?

@cdrnet
Copy link
Member Author

cdrnet commented Nov 16, 2015

Sure. Would it also make sense to use SecureString instead of String for the password?

@forki
Copy link
Member

forki commented Nov 16, 2015

I guess it could be done, but most of the the passwords can be found on
your system (often in deps file) anyway.
On Nov 16, 2015 8:43 AM, "Christoph Ruegg" [email protected] wrote:

Sure. Would it also make sense to use SecureString instead of String for
the password?


Reply to this email directly or view it on GitHub
#1224 (comment).

@cdrnet
Copy link
Member Author

cdrnet commented Nov 16, 2015

Fair enough, I'll just open a PR for ToString of Credentials etc for now. Thanks.

@cdrnet cdrnet mentioned this issue Nov 19, 2015
Merged
@cdrnet cdrnet closed this as completed Nov 19, 2015
forki pushed a commit that referenced this issue Nov 19, 2015
@cdrnet
PackageSources: do not print feed password to output when failing to …
a20d351 
…find versions of a package (privacy) #1224
forki added a commit that referenced this issue Nov 19, 2015
@forki
Merge pull request #1238 from cdrnet/dont-leak-password
31ff126 
PackageSources: do not print feed password to output #1224
@cdrnet cdrnet mentioned this issue Oct 27, 2016
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cdrnet @forki