UserPassCredentials showing password in debug mode #2321
Labels
ARM
bug
This issue requires a change to an existing behavior in the product in order to be resolved.
Service Attention
Workflow: This issue is responsible by Azure service team.
Comments
|
Could you confirm what version of msrest you used? There is a fix for that in 0.4.27. If you don't have this one, could you update to this version and tell me if it's all gone? |
lmazuel
added
bug
|
Supposed to be fixed, and the backend is being rewritten anyway in msrestazure 0.6.0 (Azure/msrestazure-for-python#94) |
bsiegel
added
the
Service Attention
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hello,
I'm using the UserPassCredentials class from azure.common.credentials.
When initializing an instance of the class with a logging level at DEBUG, the password is shown in plain text at at least three locations:
03/30/2018 06:16:46 PM (DEBUG): Supplying headers {'Accept': 'application/json', 'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8'} and data {'resource': 'https://vault.azure.net', 'grant_type': 'password', 'client_id': '------', 'username': 'r____@microsoft.com', 'password': '_______}
03/30/2018 06:16:52 PM (DEBUG): Request body was resource=https%3A%2F%2Fvault.azure.net&grant_type=password&client_id=----------&username=r_______%40microsoft.com&password=--------
03/30/2018 06:16:52 PM (DEBUG): Prepared fetch token request body grant_type=password&client_id=-------&password=--------&resource=https%3A%2F%2Fvault.azure.net&username=r______%40microsoft.com
Is this something done on purpose? It seems a bit 'unsafe' to me.
The text was updated successfully, but these errors were encountered: