New submission from Jerome Perrin <jer...@nexedi.com>:
>>> import xmlrpc.client >>> xmlrpc.client.ServerProxy('https://login:passw...@example.com') <ServerProxy for login:passw...@example.com/RPC2> Because this repr is included in error messages, this can lead to leaking the password: >>> xmlrpc.client.ServerProxy('https://login:passw...@example.com').method() Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python3.7/xmlrpc/client.py", line 1112, in __call__ return self.__send(self.__name, args) File "/usr/lib/python3.7/xmlrpc/client.py", line 1452, in __request verbose=self.__verbose File "/usr/lib/python3.7/xmlrpc/client.py", line 1154, in request return self.single_request(host, handler, request_body, verbose) File "/usr/lib/python3.7/xmlrpc/client.py", line 1187, in single_request dict(resp.getheaders()) xmlrpc.client.ProtocolError: <ProtocolError for login:passw...@example.com/RPC2: 404 Not Found> ---------- components: Library (Lib) messages: 413870 nosy: perrinjerome priority: normal severity: normal status: open title: xmlrpc.client.ServerProxy shows password in __repr__ when using basic authentication _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue46840> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com