Bug 505561

Summary: akonadi_ews_resource log messages logs user password in plain text
Product: [Frameworks and Libraries] Akonadi Reporter: Thomas Fischer <fischer>
Component: EWS ResourceAssignee: kdepim bugs <pim-bugs-null>
Status: REPORTED ---    
Severity: grave CC: carl, krissn, nicolas.fella
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Fedora RPMs   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Thomas Fischer 2025-06-13 09:33:14 UTC 
Checking my logs (journalctl) I found lines like this:

akonadi_ews_resource[3499]: org.kde.pim.ews.client: Failed to process EWS request: Error transferring https://USERNAME:PASSWORD@mail.DOMAIN/EWS/Exchange.asmx - server replied: Internal Server Error

Here, "USERNAME", "PASSWORD", and "DOMAIN" are placeholders for the real, plain values used in my setup.
The problem is not the error itself, but that the user's password got logged in plain text.
Please review the EWS component that any logging of URLs and similar strips the credentials from the URL. Probably QUrl's toDisplayString can be used as it is supposed to strip away passwords.

The log messages were recorded last in March on a Fedora Linux system (probably 41), but not since then.