pypa · cjerdonek · Mar 1, 2019 · Feb 23, 2019 · Feb 24, 2019 · Feb 24, 2019
diff --git a/src/pip/_internal/index.py b/src/pip/_internal/index.py
@@ -74,6 +74,17 @@
 logger = logging.getLogger(__name__)
 
 
+def _redacted_url(url):
+    """Redact the URL to remove the basic auth password
+    """
+    parsed = urllib_parse.urlparse(url)
+
+    replaced = parsed._replace(netloc="{}:{}@{}".format(parsed.username, "<pwd>", parsed.hostname))
+    replaced_url = replaced.geturl()
+
+    return replaced_url
+
+
 def _match_vcs_scheme(url):
     # type: (str) -> Optional[str]
     """Look for VCS schemes in the URL.
@@ -155,7 +166,7 @@ def _get_html_response(url, session):
     if _is_url_like_archive(url):
         _ensure_html_response(url, session=session)
 
-    logger.debug('Getting page %s', url)
+    logger.debug('Getting page %s', _redacted_url(url))
 
     resp = session.get(
         url,

diff --git a/tests/functional/test_install_config.py b/tests/functional/test_install_config.py
@@ -40,6 +40,19 @@ def test_command_line_options_override_env_vars(script, virtualenv):
     assert "Getting page https://download.zope.org/ppix" in result.stdout
 
 
+def test_no_password_in_debug_message(script, virtualenv):
+    """
+    Test that password in the URL is not logged
+    """
+    script.environ['PIP_INDEX_URL'] = 'https://user:my_password@example.com/simple/'
+    result = script.pip('install', '-vvv', 'INITools', expect_error=True)
+    assert (
+        "Getting page https://user:<pwd>@example.com/simple/initools"
+        in result.stdout
+    )
+    virtualenv.clear()
+
+
 @pytest.mark.network
 def test_env_vars_override_config_file(script, virtualenv):
     """