domain:pw and clID logged in clear text from response

[joveice]

<epp xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:ietf:params:xml:ns:epp-1.0" xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd">
  <response>
    <result code="1000">
      <msg>Command completed successfully</msg>
    </result>
    <msgQ count="2" id=""></msgQ>
    <resData>
      <domain:infData xmlns="urn:ietf:params:xml:ns:domain-1.0" xmlns:domain="urn:ietf:params:xml:ns:domain-1.0" xsi:schemaLocation="urn:ietf:params:xml:ns:domain-1.0 domain-1.0.xsd">
        <domain:name>*domain*</domain:name>
        <domain:roid>*roid*</domain:roid>
        <domain:status s="ok"></domain:status>
        <domain:registrant>*registrant*</domain:registrant>
        <domain:contact type="tech">*tech*</domain:contact>
        <domain:ns>
          <domain:hostObj>*nameserver1*</domain:hostObj>
          <domain:hostObj>*nameserver2*</domain:hostObj>
        </domain:ns>
        <domain:clID>!clID in cleartext!</domain:clID>
        <domain:crID>!clID in cleartext!</domain:crID>
        <domain:crDate>2019-05-15T06:53:10.65Z</domain:crDate>
        <domain:upDate>2019-06-20T12:27:00.07Z</domain:upDate>
        <domain:exDate>2020-05-15T06:53:11.10Z</domain:exDate>
        <domain:authInfo>
          <domain:pw>!Password in cleartext!</domain:pw>
        </domain:authInfo>
      </domain:infData>
    </resData>
    <extension>
      <no-ext-domain:infData xmlns="http://www.norid.no/xsd/no-ext-domain-1.1" xmlns:no-ext-domain="http://www.norid.no/xsd/no-ext-domain-1.1">
        <no-ext-domain:applicantDataset>
          <no-ext-domain:versionNumber>3.0</no-ext-domain:versionNumber>
          <no-ext-domain:acceptName>*name*</no-ext-domain:acceptName>
          <no-ext-domain:acceptDate>2019-05-13T11:45:30.00Z</no-ext-domain:acceptDate>
          <no-ext-domain:updateClientID>!clID in cleartext!</no-ext-domain:updateClientID>
          <no-ext-domain:updateDate>2019-06-20T12:27:00.24Z</no-ext-domain:updateDate>
        </no-ext-domain:applicantDataset>
      </no-ext-domain:infData>
    </extension>
    <trID>
      <clTRID>5d0b7b949be73</clTRID>
      <svTRID>20190620142700641493-4chqdx-!ClID in cleartext!-NORID</svTRID>
    </trID>
  </response>
</epp>

ctrl + f and search for "!clID in cleartext!" and "!Password in cleartext!", those are the locations. I do not know how sensitive you count clID, but I'm mentioning it since it is filtered out in the login. The password how ever should be filtered out here, or at least be a option to do so.

[metaregistrar]

The domain and contact passwords should be blanked out in the logging. Please make sure that you are using the most recent version.

We are not that sensitive about clID. Same as the username when logging in, this is not blanked out in the logging. If you need that, feel free to adapt the code and create a pull request.

[joveice]

I am using the latest at @master since there are no tagged new releases with the norid stuff I have worked on. And here the pw is clearly logged in cleartext.

[metaregistrar]

I will look into this asap.

[joveice]

@metaregistrar any updates on this / are there a work around? Currently using 1.0.8

[metaregistrar]

Hi,

Created a new version on DEV that hides domain:pw and contact:pw

As said, we're not so sensitive about clid, because on many occasions this is also shown in the WHOIS of certain registrars.

Do you need a new version / tag?

[joveice]

@metaregistrar not sure what you meant by dev, could not see a branch. Yes I noticed that the clid wasn't sensitive so that's fine.

Yes for a final release I will need a tag to stick too.

[metaregistrar]

dev is the latest, untested, unreleased code.

i have drafted version 1.0.9 now, for your use.

[joveice]

@metaregistrar ah gotcha, I will test it out now.

[joveice]

@metaregistrar This works, thanks a lot!