From b831da4bf1cf2572235e5d359eb7b690c0a8d18d Mon Sep 17 00:00:00 2001
From: Klemens Nanni <kn@openbsd.org>
Date: Sat, 24 Feb 2024 14:41:02 +0100
Subject: [PATCH] Omit password in debug (syslog) output

Configuration files may contain it, but those can be protected with
filesystem permissions.

Debug log, however, may end up in syslog(3) which is usually accessible
by all users on a system.

Avoid disclosing user secrets by simply not printing the password.
---
 shairport.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shairport.c b/shairport.c
index bded4165..8a19b267 100644
--- a/shairport.c
+++ b/shairport.c
@@ -2429,7 +2429,7 @@ int main(int argc, char **argv) {
   debug(1, "allow a session to be interrupted: %d.", config.allow_session_interruption);
   debug(1, "busy timeout time is %d.", config.timeout);
   debug(1, "drift tolerance is %f seconds.", config.tolerance);
-  debug(1, "password is \"%s\".", strnull(config.password));
+  debug(1, "password is %s.", config.password == NULL ? "not set" : "set (omitted)");
   debug(1, "default airplay volume is: %.6f.", config.default_airplay_volume);
   debug(1, "high threshold airplay volume is: %.6f.", config.high_threshold_airplay_volume);
   if (config.limit_to_high_volume_threshold_time_in_minutes == 0)
-- 
2.47.2