From 2f8350700091e766bdab24e7e8d8e051701da9e2 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 6 Nov 2019 02:55:18 +0100
Subject: pullimap, interimap: redact AUTHENTICATE and LOGIN commands

In --debug mode in order to avoid inadvertently receiving credentials in
bug reports.  --debug can be set twice to spell out these commands in
full.
---
 Changelog                 |  4 ++++
 doc/interimap.1.md        |  9 +++++----
 doc/pullimap.1.md         |  9 +++++----
 interimap                 |  2 +-
 lib/Net/IMAP/InterIMAP.pm | 17 +++++++++++++++--
 pullimap                  |  2 +-
 6 files changed, 31 insertions(+), 12 deletions(-)

diff --git a/Changelog b/Changelog
index d429932..9f718cd 100644
--- a/Changelog
+++ b/Changelog
@@ -44,6 +44,10 @@ interimap (0.5) upstream;
    is run following Perl's `exec` semantics: it is passed to `/bin/sh -c`
    when it contains shell metacharacters; and split into words and passed
    to execvp(3) otherwise.
+ + interimap, pullimap: redact AUTHENTICATE and LOGIN commands in
+   --debug mode in order to avoid inadvertently receiving credentials in
+   bug reports.  --debug can be set twice to spell out these commands in
+   full.
  - libinterimap: bugfix: hierarchy delimiters in LIST responses were
    returned as an escaped quoted special, like "\\", not as a single
    character (backslash in this case).
diff --git a/doc/interimap.1.md b/doc/interimap.1.md
index 0fb83ea..8fa5def 100644
--- a/doc/interimap.1.md
+++ b/doc/interimap.1.md
@@ -178,10 +178,11 @@ Options
 
 `--debug`
 
-:   Turn on debug mode.  Debug messages are written to the given *logfile*.
-    Note that this include all IMAP traffic (except literals).
-    Depending on the chosen authentication mechanism, this might include
-    authentication credentials.
+:   Turn on debug mode.  Debug messages, which includes all IMAP traffic
+    besides literals, are written to the given *logfile*.  The `LOGIN`
+    and `AUTHENTICATE` commands are however redacted (in order to avoid
+    disclosing authentication credentials) unless the `--debug` flag is
+    set multiple times.
 
 `-h`, `--help`
 
diff --git a/doc/pullimap.1.md b/doc/pullimap.1.md
index 1b2e509..d40ece8 100644
--- a/doc/pullimap.1.md
+++ b/doc/pullimap.1.md
@@ -57,10 +57,11 @@ Options
 
 `--debug`
 
-:   Turn on debug mode.  Debug messages are written to the error output.
-    Note that this include all IMAP traffic (except literals).
-    Depending on the chosen authentication mechanism, this might include
-    authentication credentials.
+:   Turn on debug mode.  Debug messages, which includes all IMAP traffic
+    besides literals, are written to the given *logfile*.  The `LOGIN`
+    and `AUTHENTICATE` commands are however redacted (in order to avoid
+    disclosing authentication credentials) unless the `--debug` flag is
+    set multiple times.
 
 `-h`, `--help`
 
diff --git a/interimap b/interimap
index ab96c9c..207d389 100755
--- a/interimap
+++ b/interimap
@@ -57,7 +57,7 @@ sub usage(;$) {
 }
 
 my @COMMANDS = qw/repair delete rename/;
-usage(1) unless GetOptions(\%CONFIG, qw/config=s quiet|q target=s@ debug help|h watch:i notify/, @COMMANDS);
+usage(1) unless GetOptions(\%CONFIG, qw/config=s quiet|q target=s@ debug+ help|h watch:i notify/, @COMMANDS);
 usage(0) if $CONFIG{help};
 my $COMMAND = do {
     my @command = grep {exists $CONFIG{$_}} @COMMANDS;
diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm
index aacc8e7..76135ea 100644
--- a/lib/Net/IMAP/InterIMAP.pm
+++ b/lib/Net/IMAP/InterIMAP.pm
@@ -436,8 +436,21 @@ sub new($%) {
             $self->fail("Unsupported authentication mechanism: $mech");
         }
 
+        my $dbg; 
         delete $self->{password}; # no need to remember passwords
+        if (($self->{debug} // 0) == 1) {
+            $dbg = $self->{debug}--;
+            my $cmd = $command =~ /\A(LOGIN) / ? $1
+                    : $command =~ /\A(AUTHENTICATE \S+)(?: .*)?\z/ ? $1
+                    : $self->panic();
+            $self->logger('C: xxx ', $cmd, ' [REDACTED]');
+        }
         $self->_send($command, $callback);
+        if (defined $dbg) {
+            $self->logger('S: xxx ', $IMAP_text);
+            $self->{debug} = $dbg;
+        }
+
         unless ($IMAP_text =~ /\A\Q$IMAP_cond\E \[CAPABILITY /) {
             # refresh the CAPABILITY list since the previous one had only pre-login capabilities
             delete $self->{_CAPABILITIES};
@@ -1826,8 +1839,8 @@ sub _cmd_extend($$) {
         $self->_cmd_extend_($args);
     }
     else {
-        # server supports LITERAL+: flush the command before each
-        # literal
+        # server doesn't supports LITERAL+: flush the command before
+        # each literal
         my ($offset, $litlen) = (0, 0);
         while ( (my $idx = index($$args, "\n", $offset+$litlen)) >= 0 ) {
             my $line = substr($$args, $offset, $idx+1-$offset);
diff --git a/pullimap b/pullimap
index e1c96e8..a39d420 100755
--- a/pullimap
+++ b/pullimap
@@ -52,7 +52,7 @@ sub usage(;$) {
     exit $rv;
 }
 
-usage(1) unless GetOptions(\%CONFIG, qw/config=s quiet|q debug help|h idle:i no-delivery/);
+usage(1) unless GetOptions(\%CONFIG, qw/config=s quiet|q debug+ help|h idle:i no-delivery/);
 usage(0) if $CONFIG{help};
 usage(1) unless $#ARGV == 0 and $ARGV[0] ne '_';
 
-- 
cgit v1.2.3