Leaks password via `beet config`

nolsto / beets-follow

Plugin for the music library manager Beets (http://beets.radbox.org/). Follow artists from your library using muspy (https://muspy.com/).

MIT License

29 stars 4 forks source link

Leaks password via `beet config` #7

Open ryanakca opened 6 years ago

ryanakca commented 6 years ago

Unlike the musicbrainz plugin, the follow plugin will leak passwords via beet config. Please redact the password instead.

<rak@:/tmp/c:26> beet config | egrep -A3 '(musicbrainz|follow)'
musicbrainz:
    user: ryanakca
    pass: REDACTED
    auto: yes
--
follow:
    email: aobeu
    password: aoeuaoeuaeu
mbcollection:

sampsyo commented 6 years ago

Thanks for noticing that, @ryanakca!

For an example of how to redact configuration options, please see: https://github.com/beetbox/beets/blob/3ede5f26c80be01b9900c158f55356742fe70b47/beetsplug/mpdupdate.py#L75

nolsto commented 6 years ago

@ryanakca It may be that you need to update the plugin. The latest version 1.1.0 (on PyPI as well) corrected this behavior. See https://github.com/nolsto/beets-follow/commit/0c74b2e0a4a7a15d55d6dfbbaf37b91147459a3d

nolsto commented 6 years ago

Looks like this may not actually not be implemented correctly. Sorry for closing. I'll look into it.

nolsto commented 6 years ago

Looks like I probably packaged to PyPI without incrementing the minor version number. I'll repackage to 1.1.1, but in the meantime, you can get the working version with pip install --upgrade --force-reinstall beets-follow