Hi all,
keep in mind that URL may contain a user name and a password.
When an URL with password is logged to y2log the password should be hidden
for security reasons (see bnc#441944).
There are new functions URL::HidePassword() and URL::HidePasswordToken() for
hiding the password in an URL (added in yast2-2.17.47). The first one takes an
URL string as the input, the second one takes a map (as returned by URL::Parse()
function).
Both functions replace the password by string 'PASSWORD' so we can detect in
y2log that an URL with password was used.
So instead of
y2milestone("Adding repository %1", url);
use
y2milestone("Adding repository %1", URL::HidePassword(url));
Fortunately libzypp hides the password by default so there should not be many
places which logs a full URL.
And of course, this won't help if Y2DEBUG is enabled. We would need a new
datatype or a flag in the interpreter to fix it with Y2DEBUG enabled.
--
Best Regards
Ladislav Slezák
Yast Developer
------------------------------------------------------------------------
SUSE LINUX, s.r.o. e-mail: [EMAIL PROTECTED]
Lihovarská 1060/12 tel: +420 284 028 960
190 00 Prague 9 fax: +420 284 028 951
Czech Republic http://www.suse.cz/
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
