pypa / twine

Utilities for interacting with PyPI
https://twine.readthedocs.io/
Apache License 2.0
1.61k stars 308 forks source link

Sanitize URLs for logging/display purposes. #1104

Closed ascheel closed 5 months ago

ascheel commented 5 months ago

Sanitize URLs that contain user and password combinations since this output can show up in logging. The alternative is to silence ALL output.

It may need to be sanitized in the "raise exceptions.RedirectDetected" block, but I'm not familiar enough with it to say for sure.

sigmavirus24 commented 5 months ago

There are several places below this where it might be printed. Instead of trying to sanitize this, we should parse out the credentials in one place and then only use a repository_url that doesn't have any user information at all. (And maybe we should just forbid this usage altogether since user/pass can be provided in other ways)

ascheel commented 5 months ago

It's a valid part of the URL specification (RFC 1738). It's already been allowed in the past, so to remove it would break the RFC (if that matters) and would break a not-insignificant number of people/organizations providing authentication in this manner.