Closed lo48576 closed 2 years ago
This doesn't change API breakingly (i.e. downstream code compilable with the previous verisons are still compilable after this change), but this will break some kind of codes semantically. Because of this, I treat this as a breaking change.
Is it enough if Display
writes https://user@example.com/
and Debug
writes https://user:pass@example.com/
(or <https://user:pass@example.com/>
)?
I think this may still have a risk that the user unintentionally prints sensitive information into logging file, error page, or something like that.
Debug
can be used indirectly through derive(Debug)
, so allowing Debug
to print credentials would be bad.
I decided not to hide the password by default.
Newly added {BorrowedIri}::mask_password()
method lets users hide or replace the password part.
The reason not to change the default is, some types requires core::fmt::Display
to write the raw IRI including the password part, since strings generation by builder and proxy types are built on core::fmt::Display
trait.
If some types hides the password and some others don't, it will confuse users and may become the cause of the vulnerability.
So I decided to let core::fmt::Display
write the raw (uncensored) values anytime, and require users to explicitly mask IRIs.
Explicit masking provides useful features, like replacing password instead of removing.
(For example, it is possible to write http://user:password@example.com
as http://user:${password}@example.com
or http://user:********@example.com
.)
According to this,
println!("{}", uri);
or such "usual" formatting should hide the password part of theuserinfo
component, unless explicitly specified. To see full userinfo,uri.display_unsecure()
oruri.display_secrets()
would have to be provided.