Bug #107592 for Mail-IMAPClient: avoid showing credentials via debug() unless Showcredentials()

Tue Oct 06 19:50:34 2015 gilles.lamiral [...] laposte.net - Ticket created

Subject:	Using Showcredentials() to avoid showing credentials in debug mode.
Date:	Wed, 7 Oct 2015 01:50:19 +0200
To:	bug-Mail-IMAPClient [...] rt.cpan.org
From:	Gilles LAMIRAL <gilles.lamiral [...] laposte.net>

Hi Phil, I'm often scared to see --debugimap output from imapsync with the big caveat to reveal credentials published on the net via a mailing-list archive, or even to myself only. This is a small patch in sub _send_line() to avoid showing credentials in Debug(1) mode, for the classical LOGIN authentication. I saw you added Showcredentials and started to use it in sub _record() so I used it and copied your code as a model. Thanks in advance to include this or any better code/idea to implement a way to mask credentials in debug mode. Basically the change is only this: my $debug ; if ( !$self->Showcredentials && $string =~ /^(\d+\s+LOGIN\s+).*/ ) { $debug = "$1 XXXXXXXX XXXXXXXX_Showcredentials_is_off" ; }else{ $debug = $string ; } $self->_debug("Sending: $debug"); Here is the whole sub _send_line() function patched from Mail::IMAPClient 3.37: # _send_line handles literal data and supports the Prewritemethod sub _send_line { my ( $self, $string, $suppress ) = @_; $string =~ s/$CR?$LF?$/$CRLF/o unless $suppress; # handle case where string contains a literal if ( $string =~ s/^([^$LF\{]*\{\d+\}$CRLF)(?=.)//o ) { my $first = $1; $self->_debug("Sending literal: $first\tthen: $string"); $self->_send_line($first) or return undef; # look for "$tag NO" or "+ ..." my $code = $self->_get_response( $self->Count, '+' ) or return undef; return undef unless $code eq '+'; } # non-literal part continues... if ( my $prew = $self->Prewritemethod ) { $string = $prew->( $self, $string ); } my $debug ; if ( !$self->Showcredentials && $string =~ /^(\d+\s+LOGIN\s+).*/ ) { $debug = "$1 XXXXXXXX XXXXXXXX_Showcredentials_is_off" ; }else{ $debug = $string ; } $self->_debug("Sending: $debug"); unless ( $self->IsConnected ) { $self->LastError("NO not connected"); return undef; } $self->_send_bytes( \$string ); } -- Au revoir, 09 51 84 42 42 Gilles Lamiral. France, Baulon (35580) 06 20 79 76 06

Mon Oct 12 23:51:57 2015 PLOBBES [...] cpan.org - Subject changed from 'Using Showcredentials() to avoid showing credentials in debug mode.' to 'avoid showing credentials via debug() unless Showcredentials()'

Mon Oct 12 23:51:58 2015 PLOBBES [...] cpan.org - Status changed from 'new' to 'open'

Mon Oct 12 23:51:59 2015 PLOBBES [...] cpan.org - Taken

Mon Oct 12 23:52:00 2015 PLOBBES [...] cpan.org - Severity Normal added

Mon Jan 04 00:56:37 2016 PLOBBES [...] cpan.org - Correspondence added

I'm toying around with a patch that looks like the following. Thoughts? diff --git a/lib/Mail/IMAPClient.pm b/lib/Mail/IMAPClient.pm index 737f35c..6d731b6 100644 --- a/lib/Mail/IMAPClient.pm +++ b/lib/Mail/IMAPClient.pm @@ -1476,7 +1476,14 @@ sub _send_line { # handle case where string contains a literal if ( $string =~ s/^([^$LF\{]*\{\d+\}$CRLF)(?=.)//o ) { my $first = $1; - $self->_debug("Sending literal: $first\tthen: $string"); + if ( $self->Debug ) { + my $dat; + if ( $self->IsConnected and !$self->IsAuthenticated and !$self->Showcredentials ) { + my $len = length($string); + $dat = "[NotAuth: Showcredentials is OFF] strlen($len)"; + } + $self->_debug( "Sending literal: $first\tthen: ", defined $dat ? $dat : $string ); + } $self->_send_line($first) or return undef; # look for "$tag NO" or "+ ..." @@ -1489,7 +1496,15 @@ sub _send_line { $string = $prew->( $self, $string ); } - $self->_debug("Sending: $string"); + if ( $self->Debug ) { + my $dat; + if ( $self->IsConnected and !$self->IsAuthenticated and !$self->Showcredentials ) { + my $len = length($string); + $dat = "[NotAuth: Showcredentials is OFF] strlen($len)"; + } + $self->_debug("Sending: ", defined $dat ? $dat : $string ); + } + unless ( $self->IsConnected ) { $self->LastError("NO not connected"); return undef;

Mon Jan 04 13:09:04 2016 PLOBBES [...] cpan.org - Correspondence added

The following commit was made to support this change (slightly different from what I proposed earlier): commit 5a86ddbb786a2759bab42bdeb4e83f3c10b44f2f Author: Phil Pearl (Lobbes) <phil@perkpartners.com> Date: Mon Jan 4 18:04:13 2016 +0000 - rt.cpan.org#107592: redact credentials via debug if !Showcredentials - added new internal method _redact_line() to support this Note, I added new internal method _redact_line() to support this and if you were ambitious you could use Mail::IMAPClient as a base class and override that method to take more control over what is logged via debug in that case but as it is right now, it deals with quoted and literal use cases so I hope it's "good enough".

Mon Jan 04 13:09:05 2016 PLOBBES [...] cpan.org - Status changed from 'open' to 'patched'

Mon Jan 04 19:07:18 2016 gilles.lamiral [...] laposte.net - Correspondence added

Subject:	Re: [rt.cpan.org #107592] avoid showing credentials via debug() unless Showcredentials()
Date:	Tue, 5 Jan 2016 01:06:57 +0100
To:	bug-Mail-IMAPClient [...] rt.cpan.org
From:	Gilles LAMIRAL <gilles.lamiral [...] laposte.net>

Hi Phil, "Showcredentials is OFF" is ok to me, but "NotAuth", brackets [] and strlen($len) are not. Show quoted text

> I'm toying around with a patch that looks like the following. Thoughts? > > + $dat = "[NotAuth: Showcredentials is OFF] strlen($len)";

-- Au revoir, 09 51 84 42 42 Gilles Lamiral. France, Baulon (35580) 06 20 79 76 06

Mon Jan 04 19:40:20 2016 PLOBBES [...] cpan.org - Correspondence added

On Mon Jan 04 19:07:18 2016, gilles.lamiral@laposte.net wrote: Show quoted text

> Hi Phil, > > "Showcredentials is OFF" is ok to me, > but "NotAuth", brackets [] and strlen($len) are not. > >

> > I'm toying around with a patch that looks like the following. Thoughts? > > > > + $dat = "[NotAuth: Showcredentials is OFF] strlen($len)";

> >

At the moment, here's what it looks like (Note the line with 'Redact' where a LOGIN occurred): Started at Tue Jan 5 00:38:45 2016 Using Mail::IMAPClient version 3.38_04 on perl 5.018002 Connecting with IO::Socket::INET PeerAddr localhost PeerPort 143 Proto tcp Timeout 600 Debug a Connected to localhost Read: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot (Ubuntu) ready. Sending: [Redact: Count=1 Showcredentials=OFF] Sent 32 bytes Read: 1 OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS SPECIAL-USE BINARY MOVE QUOTA] Logged in

Tue Jan 05 03:39:05 2016 gilles.lamiral [...] laposte.net - Correspondence added

Subject:	Re: [rt.cpan.org #107592] avoid showing credentials via debug() unless Showcredentials()
Date:	Tue, 5 Jan 2016 09:38:44 +0100
To:	bug-Mail-IMAPClient [...] rt.cpan.org
From:	Gilles LAMIRAL <gilles.lamiral [...] laposte.net>

Hi Phil, What I have in mind is that the really important thing is to hide the password, while still showing real IMAP debugging, the goal of debugging IMAP is to help debugging IMAP. We're doing too much with some meta info like [Redact: Count=1 Showcredentials=OFF] inside the IMAP session output. This meta info should go outside the IMAP trace. So I'm not satisfied with "Sending: " followed by something that is not sent at all. I'd prefer see "LOGIN username PASS_MASKED" or "LOGIN username XXX" or anything else meaningful as long as only the password is changed. Show quoted text

> Read: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot (Ubuntu) ready. > Sending: [Redact: Count=1 Showcredentials=OFF]

-- Au revoir, 09 51 84 42 42 Gilles Lamiral. France, Baulon (35580) 06 20 79 76 06

Wed Jan 06 01:17:16 2016 PLOBBES [...] cpan.org - Correspondence added

On Tue Jan 05 03:39:05 2016, gilles.lamiral@laposte.net wrote: Show quoted text

> Hi Phil, > > What I have in mind is that the really important thing is to hide the > password,

Agreed, but this is a little tricky... Consider: a. 1 LOGIN username password b. 1 LOGIN username {#} (password sent as a literal) c. 1 LOGIN {#} (user, then password both sent as literals) d. 1 AUTH PLAIN (password sent as part of a base64 encoded word) Regardless, my latest change now does things like: * Case a. Sending: 1 LOGIN imaptest [Redact: Count=1 Showcredentials=OFF] Sent 32 bytes * Case b. Sending literal: 1 LOGIN imaptest2 {7} then: [Redact: Count=1 Showcredentials=OFF] Sending: 1 LOGIN imaptest2 {7} Sent 23 bytes Read: + OK Sending: [Redact: Count=1 Showcredentials=OFF] Sent 9 bytes * Case c. Sending literal: 1 LOGIN {9} then: [Redact: Count=1 Showcredentials=OFF] Sending: 1 LOGIN {9} Sent 13 bytes Read: + OK Sending: [Redact: Count=1 Showcredentials=OFF] Sent 31 bytes * Case d. Sending: 1 AUTHENTICATE PLAIN Sent 22 bytes Read: + Sending: [Redact: Count=1 Showcredentials=OFF] Sent 34 bytes Better? Acceptable?

Wed Jan 06 08:26:00 2016 gilles.lamiral [...] laposte.net - Correspondence added

Subject:	Re: [rt.cpan.org #107592] avoid showing credentials via debug() unless Showcredentials()
Date:	Wed, 6 Jan 2016 14:25:35 +0100
To:	bug-Mail-IMAPClient [...] rt.cpan.org
From:	Gilles LAMIRAL <gilles.lamiral [...] laposte.net>

Hi Phil, Ah yes, many cases to think, sorry. What you've done is pretty good! I stop complaining. Thanks Phil! On 06/01/2016 07:17, Phil Pearl (Lobbes) via RT wrote: Show quoted text

> <URL: https://rt.cpan.org/Ticket/Display.html?id=107592 > > > On Tue Jan 05 03:39:05 2016, gilles.lamiral@laposte.net wrote:

>> Hi Phil, >> >> What I have in mind is that the really important thing is to hide the >> password,

> > Agreed, but this is a little tricky... > > Consider: > a. 1 LOGIN username password > b. 1 LOGIN username {#} (password sent as a literal) > c. 1 LOGIN {#} (user, then password both sent as literals) > d. 1 AUTH PLAIN (password sent as part of a base64 encoded word) > > Regardless, my latest change now does things like: > > * Case a. > Sending: 1 LOGIN imaptest [Redact: Count=1 Showcredentials=OFF] > Sent 32 bytes > > * Case b. > Sending literal: 1 LOGIN imaptest2 {7} > then: [Redact: Count=1 Showcredentials=OFF] > Sending: 1 LOGIN imaptest2 {7} > Sent 23 bytes > Read: + OK > Sending: [Redact: Count=1 Showcredentials=OFF] > Sent 9 bytes > > * Case c. > Sending literal: 1 LOGIN {9} > then: [Redact: Count=1 Showcredentials=OFF] > Sending: 1 LOGIN {9} > Sent 13 bytes > Read: + OK > Sending: [Redact: Count=1 Showcredentials=OFF] > Sent 31 bytes > > * Case d. > Sending: 1 AUTHENTICATE PLAIN > Sent 22 bytes > Read: + > Sending: [Redact: Count=1 Showcredentials=OFF] > Sent 34 bytes > > Better? Acceptable? >

-- Au revoir, 09 51 84 42 42 Gilles Lamiral. France, Baulon (35580) 06 20 79 76 06

Tue Feb 09 21:18:07 2016 PLOBBES [...] cpan.org - Fixed in 3.38 added

Tue Feb 09 21:18:08 2016 PLOBBES [...] cpan.org - Correspondence added

http://search.cpan.org/~plobbes/Mail-IMAPClient-3.38/ is out and include the fix for this bug.

Tue Feb 09 21:18:14 2016 PLOBBES [...] cpan.org - Status changed from 'patched' to 'resolved'