[Akonadi] [Bug 505561] New: akonadi_ews_resource log messages logs user password in plain text

[Thomas Fischer]

https://bugs.kde.org/show_bug.cgi?id=505561

            Bug ID: 505561
           Summary: akonadi_ews_resource log messages logs user password
                    in plain text
    Classification: Frameworks and Libraries
           Product: Akonadi
      Version First unspecified
       Reported In:
          Platform: Fedora RPMs
                OS: Linux
            Status: REPORTED
          Severity: critical
          Priority: NOR
         Component: EWS Resource
          Assignee: kdepim-bugs at kde.org
          Reporter: fischer at unix-ag.uni-kl.de
                CC: carl at carlschwan.eu, krissn at op.pl
  Target Milestone: ---

Checking my logs (journalctl) I found lines like this:

akonadi_ews_resource[3499]: org.kde.pim.ews.client: Failed to process EWS
request: Error transferring
https://USERNAME:PASSWORD@mail.DOMAIN/EWS/Exchange.asmx - server replied:
Internal Server Error

Here, "USERNAME", "PASSWORD", and "DOMAIN" are placeholders for the real, plain
values used in my setup.
The problem is not the error itself, but that the user's password got logged in
plain text.
Please review the EWS component that any logging of URLs and similar strips the
credentials from the URL. Probably QUrl's toDisplayString can be used as it is
supposed to strip away passwords.

The log messages were recorded last in March on a Fedora Linux system (probably
41), but not since then.

-- 
You are receiving this mail because:
You are the assignee for the bug.