From a97292290ef634308eff1d46ad770ff1ed17de0d Mon Sep 17 00:00:00 2001
From: Martin Prikryl <martin@winscp.net>
Date: Thu, 8 Dec 2016 08:19:08 +0000
Subject: [PATCH] Bug 1488: Mask out passphrase in .NET assembly output log

https://winscp.net/tracker/1488

Source commit: 28224893c75cd1ac10930d98d46278ac1505efc2
---
 dotnet/Session.cs | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/dotnet/Session.cs b/dotnet/Session.cs
index 1c7ec1580..19b21972a 100644
--- a/dotnet/Session.cs
+++ b/dotnet/Session.cs
@@ -1531,15 +1531,6 @@ private void SessionOptionsToSwitches(SessionOptions sessionOptions, bool scanFi
                     switches.Add(FormatSwitch("clientcert", sessionOptions.TlsClientCertificatePath));
                 }
 
-                if (!string.IsNullOrEmpty(sessionOptions.PrivateKeyPassphrase) && !scanFingerprint)
-                {
-                    if (string.IsNullOrEmpty(sessionOptions.SshPrivateKeyPath) && string.IsNullOrEmpty(sessionOptions.TlsClientCertificatePath))
-                    {
-                        throw new ArgumentException("SessionOptions.PrivateKeyPassphrase is set, but neither SessionOptions.SshPrivateKeyPath nor SessionOptions.TlsClientCertificatePath is set.");
-                    }
-                    switches.Add(FormatSwitch("passphrase", sessionOptions.PrivateKeyPassphrase));
-                }
-
                 if (sessionOptions.FtpSecure != FtpSecure.None)
                 {
                     if (sessionOptions.Protocol != Protocol.Ftp)
@@ -1588,6 +1579,16 @@ private void SessionOptionsToSwitches(SessionOptions sessionOptions, bool scanFi
 
                 List<string> logSwitches = new List<string>(switches);
 
+                if (!string.IsNullOrEmpty(sessionOptions.PrivateKeyPassphrase) && !scanFingerprint)
+                {
+                    if (string.IsNullOrEmpty(sessionOptions.SshPrivateKeyPath) && string.IsNullOrEmpty(sessionOptions.TlsClientCertificatePath))
+                    {
+                        throw new ArgumentException("SessionOptions.PrivateKeyPassphrase is set, but neither SessionOptions.SshPrivateKeyPath nor SessionOptions.TlsClientCertificatePath is set.");
+                    }
+                    switches.Add(FormatSwitch("passphrase", sessionOptions.PrivateKeyPassphrase));
+                    logSwitches.Add(FormatSwitch("passphrase", "***"));
+                }
+
                 if ((sessionOptions.SecureNewPassword != null) && !scanFingerprint)
                 {
                     if (sessionOptions.SecurePassword == null)