This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: xmlrpc.client.ServerProxy shows password in __repr__ when using basic authentication
Type: Stage:
Components: Library (Lib) Versions:
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: perrinjerome
Priority: normal Keywords:

Created on 2022-02-24 01:40 by perrinjerome, last changed 2022-04-11 14:59 by admin.

Messages (1)
msg413870 - (view) Author: Jerome Perrin (perrinjerome) Date: 2022-02-24 01:40 
>>> import xmlrpc.client
>>> xmlrpc.client.ServerProxy('https://login:password@example.com')
<ServerProxy for login:password@example.com/RPC2>

Because this repr is included in error messages, this can lead to leaking the password:

>>> xmlrpc.client.ServerProxy('https://login:password@example.com').method()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.7/xmlrpc/client.py", line 1112, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib/python3.7/xmlrpc/client.py", line 1452, in __request
    verbose=self.__verbose
  File "/usr/lib/python3.7/xmlrpc/client.py", line 1154, in request
    return self.single_request(host, handler, request_body, verbose)
  File "/usr/lib/python3.7/xmlrpc/client.py", line 1187, in single_request
    dict(resp.getheaders())
xmlrpc.client.ProtocolError: <ProtocolError for login:password@example.com/RPC2: 404 Not Found>
History
Date User Action Args
2022-04-11 14:59:56adminsetgithub: 90996
2022-02-24 01:40:39perrinjeromecreate