Hi Dan et al,

I was working recently on a Chirp's issue and a user uploaded a debug.log for me... the debug.log has the passwords of an online service in plain text. the issue page was removed as per user request to maintain his privacy (I would had erased only the uploaded log and not the entire issue page, but I was offline at that time.)

That is from any point of view a security risk and unacceptable, Chirp can't leak user's credentials.

You can see a sample of a log (password obfuscated to "password" for security reason) in this comment:

https://chirp.danplanet.com/issues/5481#note-11

I ask to Dan and others about the correct curse of action, as I see we have a few options:

Don't log the XML data at all (this will make difficult to debug it)
Parse the XML data output and remove/obfuscate the password before printing to debug.log
#2 plus some command line switch to only log the clear text credentials by demand of the user/dev.
Other?

Number 2 is the obvious option, but I don't have a online account to test not the connectivity and time to test it.

Who take it to fix it? Dan? Others?

Maybe I'm with the paranoia setting to high...

Cheers, Pavel.

-- 
73 CO7WT, Pavel.