Security Issue - password visible in logs
I wasn't sure whether to post this issue here (as a bug) or in "Scripting / Automation". I came across a bug where the password is visible (plain-text) in the log file (without the intentional use of
I found this bug in version 6.1.1.13736.
Here is the command-line to reproduce the bug:
After running that command you see the following in the winscp.log file:
Notice in the first line (shown above) where it echos the full command line, the password is correctly masked. However, a few lines below that, where it starts to list the individual parameters, the full session URL is shown (including the plain-text password) as part of the open command.
The topic on logging (https://winscp.net/eng/docs/logging) states:
/loglevel=x*).
I found this bug in version 6.1.1.13736.
Here is the command-line to reproduce the bug:
winscp.exe /log=winscp.log /loglevel=2 /command "open sftp://username:mystrongpassword@host" "pwd" "exit"
. 2023-08-11 14:51:38.461 Command-line: winscp.exe /log=winscp.log /loglevel=2 /command "open sftp://username:***@host" "pwd" "exit" . 2023-08-11 14:51:38.461 Switch: /log=winscp.log . 2023-08-11 14:51:38.466 Switch: /loglevel=2 . 2023-08-11 14:51:38.466 Switch: /command . 2023-08-11 14:51:38.466 Parameter: open sftp://username:mystrongpassword@host . 2023-08-11 14:51:38.466 Parameter: pwd . 2023-08-11 14:51:38.466 Parameter: exit
The topic on logging (https://winscp.net/eng/docs/logging) states:
As such, this seems like a bug that should be fixed (so the password is also masked when shown as part of theNote that passwords and passphrases are not stored to either log format.
open command as a parameter listed in the log file).
