Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

index-url password is displayed on pip install. #5249

Closed
Bolayniuss opened this issue Apr 16, 2018 · 6 comments · Fixed by #5339
Closed

index-url password is displayed on pip install. #5249

Bolayniuss opened this issue Apr 16, 2018 · 6 comments · Fixed by #5339
Labels
auto-locked Outdated issues that have been locked by automation type: security Has potential security implications
Milestone
18.0

Comments

@Bolayniuss
Copy link

Bolayniuss commented Apr 16, 2018
edited
Loading

  • Pip version: 10.0.0
  • Python version: 2.7.14
  • Operating system: macOS

Description:

When index-url is set (with either --index-url or --extra-index-url) with user credentials, the password is displayed each time pip is used. This is clearly a security issue, before pip 10 this was displayed only in verbose mode. The password should always be masked.

What I've run:

pip install private-package
@pradyunsg pradyunsg added the type: security Has potential security implications label Apr 16, 2018
@zware zware mentioned this issue Apr 17, 2018
Closed
@danieljacobs1
Copy link

Also happens if you have index-url set in ~/.pip/pip.conf.

@pradyunsg
Copy link
Member

@pfmoore thoughts on this? This happened as a part of #4483.

I can whip up a PR to strip the username/password when printing the URIs as a quick fix; thoughts?

@pradyunsg
Copy link
Member

Or make it conditional to verbosity.

@pradyunsg
Copy link
Member

I think hiding this behind verbosity and deferring to #4746 for the actual hiding of passwords in that mode makes more sense.

Making a PR for this.

@pfmoore
Copy link
Member

pfmoore commented Apr 17, 2018

@pradyunsg Agreed

@jzafran jzafran mentioned this issue Apr 27, 2018
Merged
@pradyunsg pradyunsg mentioned this issue May 13, 2018
Closed
@pradyunsg pradyunsg added this to the 18.0 milestone May 22, 2018
@lock
Copy link

lock bot commented Jun 2, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot added the auto-locked Outdated issues that have been locked by automation label Jun 2, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Jun 2, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
auto-locked Outdated issues that have been locked by automation type: security Has potential security implications
Projects
None yet
Milestone
18.0
Development

Successfully merging a pull request may close this issue.

Remove username/password from log message jzafran/pip
4 participants
@Bolayniuss @pfmoore @pradyunsg @danieljacobs1