505561 – akonadi_ews_resource log messages logs user password in plain text

Bug 505561 - akonadi_ews_resource log messages logs user password in plain text

Summary: akonadi_ews_resource log messages logs user password in plain text

Status:	REPORTED

Alias:	None

Product:	Akonadi
Classification:	Frameworks and Libraries
Component:	EWS Resource (other bugs)
Version First Reported In:	unspecified
Platform:	Fedora RPMs Linux

Importance:	NOR grave
Target Milestone:	---
Assignee:	kdepim bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-06-13 09:33 UTC by Thomas Fischer
Modified:	2025-06-13 09:53 UTC (History)
CC List:	3 users (show)

See Also:
Latest Commit:
Version Fixed/Implemented In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Fischer 2025-06-13 09:33:14 UTC

Checking my logs (journalctl) I found lines like this:

akonadi_ews_resource[3499]: org.kde.pim.ews.client: Failed to process EWS request: Error transferring https://USERNAME:PASSWORD@mail.DOMAIN/EWS/Exchange.asmx - server replied: Internal Server Error

Here, "USERNAME", "PASSWORD", and "DOMAIN" are placeholders for the real, plain values used in my setup.
The problem is not the error itself, but that the user's password got logged in plain text.
Please review the EWS component that any logging of URLs and similar strips the credentials from the URL. Probably QUrl's toDisplayString can be used as it is supposed to strip away passwords.

The log messages were recorded last in March on a Fedora Linux system (probably 41), but not since then.