Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

martin

Re: plain-text password logged in Debug Log

For this purpose, use a session log, not a debug log.
schopc3

Re: plain-text password logged in Debug Log

martin wrote:

Debug log is for debugging. You may need to see the password to debug a problem.

I am using WinSCP.exe plus the .NET component in an automated environment where I want to let users configure the system to write a debug log to disk in cases where they think the remote FTP server or interaction with the WinSCP component is the problem. Short of me doing some post-processing on the debug log, which is unreliable since I am not the maker of the log, we have potential to have passwords sitting in plain-text in a server-environment. When writing the log the password is known so can we have an option to mask all instances of it before writing the debug log to disk? If the option were added, it seems logical to make masking the password the default behavior and make users flip a bit to log the password in plain-text.
martin

Re: plain-text password logged in Debug Log

Debug log is for debugging. You may need to see the password to debug a problem.
schopc3

plain-text password logged in Debug Log

When enabling the debug log from the .NET class using a log level of "Normal" we see passwords in the Debug log. Some passwords are masked with * but others are left in plain-text. This seems to be undocumented behavior with no way to disable password logging. Is there a way to prevent plain-text passwords from being written to the debug log?

Below are some relevant excerpts from the debug log. The entry in question starts with "Output: [winscp> open" where the ftp info has been obfuscated by me:

---beginning of log---
[2015-10-14 13:19:07.383Z] [0001] Executing Assembly: WinSCPnet, Version=1.2.9.5553, Culture=neutral, PublicKeyToken=2271ec4a3c56d0bf; Path: D:\WinSCPnet.DLL; Location: D:\WinSCPnet.dll; Product: 5.7.4.0
.
.
.
[2015-10-14 13:19:07.383Z] [0001] Operating system: Microsoft Windows NT 6.2.9200.0
.
.
.
[2015-10-14 13:19:07.384Z] [0001] Runtime: 4.0.30319.18449
.
.
.
[2015-10-14 13:19:07.395Z] [0001] Version of D:\WinSCP.exe is 5.7.4.5553, product WinSCP version is 5.7.4.0
.
.
.
[2015-10-14 13:19:07.568Z] [0001] Output: [winscp> option batch on]
[2015-10-14 13:19:07.568Z] [0001] Output: [batch on ]
[2015-10-14 13:19:07.568Z] [0001] Output: [reconnecttime 120 ]
[2015-10-14 13:19:07.568Z] [0001] Output: [winscp> option confirm off]
[2015-10-14 13:19:07.568Z] [0001] Output: [confirm off ]
[2015-10-14 13:19:07.568Z] [0001] Output: [winscp> option reconnecttime 120]
[2015-10-14 13:19:07.568Z] [0001] Output: [reconnecttime 120 ]
[2015-10-14 13:19:07.568Z] [0001] Output: [winscp> open "ftp://user:password@ftp.servername.com:21" -passive=1 -timeout=15 -rawsettings FtpUseMlsd="2" Timeout="300"]
[2015-10-14 13:19:07.568Z] [0001] Output: [Connecting to ftp.servername.com ...]
.
.
.
---log truncated---