diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2019-11-06 02:55:18 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2019-11-06 03:21:13 +0100 |
commit | 2f8350700091e766bdab24e7e8d8e051701da9e2 (patch) | |
tree | 8016ba7ef9b1cd0ca01847d01c1e14870f27c62a | |
parent | 67e0d741f21bd589a2cbb4d23f07f5fb5eae889b (diff) |
pullimap, interimap: redact AUTHENTICATE and LOGIN commands
In --debug mode in order to avoid inadvertently receiving credentials in
bug reports. --debug can be set twice to spell out these commands in
full.
-rw-r--r-- | Changelog | 4 | ||||
-rw-r--r-- | doc/interimap.1.md | 9 | ||||
-rw-r--r-- | doc/pullimap.1.md | 9 | ||||
-rwxr-xr-x | interimap | 2 | ||||
-rw-r--r-- | lib/Net/IMAP/InterIMAP.pm | 17 | ||||
-rwxr-xr-x | pullimap | 2 |
6 files changed, 31 insertions, 12 deletions
@@ -44,6 +44,10 @@ interimap (0.5) upstream; is run following Perl's `exec` semantics: it is passed to `/bin/sh -c` when it contains shell metacharacters; and split into words and passed to execvp(3) otherwise. + + interimap, pullimap: redact AUTHENTICATE and LOGIN commands in + --debug mode in order to avoid inadvertently receiving credentials in + bug reports. --debug can be set twice to spell out these commands in + full. - libinterimap: bugfix: hierarchy delimiters in LIST responses were returned as an escaped quoted special, like "\\", not as a single character (backslash in this case). diff --git a/doc/interimap.1.md b/doc/interimap.1.md index 0fb83ea..8fa5def 100644 --- a/doc/interimap.1.md +++ b/doc/interimap.1.md @@ -178,10 +178,11 @@ Options `--debug` -: Turn on debug mode. Debug messages are written to the given *logfile*. - Note that this include all IMAP traffic (except literals). - Depending on the chosen authentication mechanism, this might include - authentication credentials. +: Turn on debug mode. Debug messages, which includes all IMAP traffic + besides literals, are written to the given *logfile*. The `LOGIN` + and `AUTHENTICATE` commands are however redacted (in order to avoid + disclosing authentication credentials) unless the `--debug` flag is + set multiple times. `-h`, `--help` diff --git a/doc/pullimap.1.md b/doc/pullimap.1.md index 1b2e509..d40ece8 100644 --- a/doc/pullimap.1.md +++ b/doc/pullimap.1.md @@ -57,10 +57,11 @@ Options `--debug` -: Turn on debug mode. Debug messages are written to the error output. - Note that this include all IMAP traffic (except literals). - Depending on the chosen authentication mechanism, this might include - authentication credentials. +: Turn on debug mode. Debug messages, which includes all IMAP traffic + besides literals, are written to the given *logfile*. The `LOGIN` + and `AUTHENTICATE` commands are however redacted (in order to avoid + disclosing authentication credentials) unless the `--debug` flag is + set multiple times. `-h`, `--help` @@ -57,7 +57,7 @@ sub usage(;$) { } my @COMMANDS = qw/repair delete rename/; -usage(1) unless GetOptions(\%CONFIG, qw/config=s quiet|q target=s@ debug help|h watch:i notify/, @COMMANDS); +usage(1) unless GetOptions(\%CONFIG, qw/config=s quiet|q target=s@ debug+ help|h watch:i notify/, @COMMANDS); usage(0) if $CONFIG{help}; my $COMMAND = do { my @command = grep {exists $CONFIG{$_}} @COMMANDS; diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm index aacc8e7..76135ea 100644 --- a/lib/Net/IMAP/InterIMAP.pm +++ b/lib/Net/IMAP/InterIMAP.pm @@ -436,8 +436,21 @@ sub new($%) { $self->fail("Unsupported authentication mechanism: $mech"); } + my $dbg; delete $self->{password}; # no need to remember passwords + if (($self->{debug} // 0) == 1) { + $dbg = $self->{debug}--; + my $cmd = $command =~ /\A(LOGIN) / ? $1 + : $command =~ /\A(AUTHENTICATE \S+)(?: .*)?\z/ ? $1 + : $self->panic(); + $self->logger('C: xxx ', $cmd, ' [REDACTED]'); + } $self->_send($command, $callback); + if (defined $dbg) { + $self->logger('S: xxx ', $IMAP_text); + $self->{debug} = $dbg; + } + unless ($IMAP_text =~ /\A\Q$IMAP_cond\E \[CAPABILITY /) { # refresh the CAPABILITY list since the previous one had only pre-login capabilities delete $self->{_CAPABILITIES}; @@ -1826,8 +1839,8 @@ sub _cmd_extend($$) { $self->_cmd_extend_($args); } else { - # server supports LITERAL+: flush the command before each - # literal + # server doesn't supports LITERAL+: flush the command before + # each literal my ($offset, $litlen) = (0, 0); while ( (my $idx = index($$args, "\n", $offset+$litlen)) >= 0 ) { my $line = substr($$args, $offset, $idx+1-$offset); @@ -52,7 +52,7 @@ sub usage(;$) { exit $rv; } -usage(1) unless GetOptions(\%CONFIG, qw/config=s quiet|q debug help|h idle:i no-delivery/); +usage(1) unless GetOptions(\%CONFIG, qw/config=s quiet|q debug+ help|h idle:i no-delivery/); usage(0) if $CONFIG{help}; usage(1) unless $#ARGV == 0 and $ARGV[0] ne '_'; |