[PATCH] svn_load_dirs.pl: hide passwords printed to screen

[Geoffrey Alary <ge...@gmail.com>]

Hello,

I often use svn_load_dirs.pl in a script to load several huge third
party libraries into our SVN repo. This repository uses LDAP
authentication with https and I do not want my password popping up at
times on the console executing the script (for several hours).

Hence my second patch, that hides the password printed to screen with
stars (*). It does that by passing the array of arguments containing
the password to a function sanitize_pwd before printing it. This
function searches for '--password' and hides the following word.

I digress a bit, but my scripts using svn_load_dirs.pl (themselves in
a SVN repo) ask for username/password so that they do not expose
sensitive information. Password is prompted either with `read -s` for
the bash script, or with this SO answer for the batch version:
http://stackoverflow.com/a/20343074/3628160

Please find my patch below. Besides defining sanitize_pwd and changing
the print call sites the attached version of the patch also replaces
the few tabs in source by spaces (as I realized gmail edits the tabs I
omitted this part from the version below, which apart from that
fulfils its duty).

Best regards,
Geoffrey

--- contrib/client-side/svn_load_dirs/svn_load_dirs.pl.in
+++ contrib/client-side/svn_load_dirs/svn_load_dirs.pl.in
@@ -1499,6 +1499,18 @@ sub file_info
   return '?';
 }

+# Copy arguments and replace what follows --password with '*'s.
+sub sanitize_pwd
+{
+  my @str = @_ ;
+  my $hide_next = 0 ;
+  foreach(@str) {
+    $_ = '*' x length if ( $hide_next ) ;
+    $hide_next = ($_ eq '--password') ;
+  }
+  @str
+}
+
 # Start a child process safely without using /bin/sh.
 sub safe_read_from_pipe
 {
@@ -1510,7 +1522,7 @@ sub safe_read_from_pipe
   my $openfork_available = "MSWin32" ne $OSNAME;
   if ($openfork_available)
     {
-      print "Running @_\n";
+      print join(' ', &sanitize_pwd("Running", @_, "\n") );
       my $pid = open(SAFE_READ, "-|");
       unless (defined $pid)
         {
@@ -1522,7 +1534,9 @@ sub safe_read_from_pipe
           open(STDERR, ">&STDOUT")
             or die "$0: cannot dup STDOUT: $!\n";
           exec(@_)
-            or die "$0: cannot exec '@_': $!\n";
+            or die "$0: cannot exec '"
+              . join(' ', &sanitize_pwd(@_) )
+              . "': $!\n";
         }
     }
   else
@@ -1559,7 +1573,7 @@ sub safe_read_from_pipe
             }
         }

-      print "Running @commandline\n";
+      print join(' ', &sanitize_pwd("Running", @commandline, "\n") );
       if ( $comment ) { print $comment; }

       # Now do the pipe.
@@ -1581,7 +1595,9 @@ sub safe_read_from_pipe
   my $cd     = $result & 128 ? "with core dump" : "";
   if ($signal or $cd)
     {
-      warn "$0: pipe from '@_' failed $cd: exit=$exit signal=$signal\n";
+      warn "$0: pipe from '"
+        . join(' ', &sanitize_pwd(@_) )
+        . "' failed $cd: exit=$exit signal=$signal\n";
     }
   if (wantarray)
     {
@@ -1604,8 +1620,9 @@ sub read_from_process
   my ($status, @output) = &safe_read_from_pipe(@_);
   if ($status)
     {
-      print STDERR "$0: @_ failed with this output:\n", join("\n", @output),
-                   "\n";
+      print STDERR
+        join(' ', &sanitize_pwd("$0:", @_, "failed with this output:\n") ),
+        join("\n", @output), "\n";
       unless ($opt_no_user_input)
         {
           print STDERR