New submission from Jerome Perrin <jer...@nexedi.com>:
>>> import xmlrpc.client
>>> xmlrpc.client.ServerProxy('https://login:passw...@example.com')
<ServerProxy for login:passw...@example.com/RPC2>
Because this repr is included in error messages, this can lead to leaking the
password:
>>> xmlrpc.client.ServerProxy('https://login:passw...@example.com').method()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3.7/xmlrpc/client.py", line 1112, in __call__
return self.__send(self.__name, args)
File "/usr/lib/python3.7/xmlrpc/client.py", line 1452, in __request
verbose=self.__verbose
File "/usr/lib/python3.7/xmlrpc/client.py", line 1154, in request
return self.single_request(host, handler, request_body, verbose)
File "/usr/lib/python3.7/xmlrpc/client.py", line 1187, in single_request
dict(resp.getheaders())
xmlrpc.client.ProtocolError: <ProtocolError for
login:passw...@example.com/RPC2: 404 Not Found>
----------
components: Library (Lib)
messages: 413870
nosy: perrinjerome
priority: normal
severity: normal
status: open
title: xmlrpc.client.ServerProxy shows password in __repr__ when using basic
authentication
_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue46840>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
