The following debug lines may reveal the password from a connection string:

• PHONGO: DEBUG > Connection string:
• PHONGO: DEBUG > Created client hash:

Moreover, the "pem_pwd" key in the $driverOptions parameter to the Manager constructor can end up in the client hash. After PHPC-1288, that same value may be expressed via the "tlsCertificateKeyFilePassword" connection string and/or URI option.

If possible, we should attempt to sanitize both of these strings (URI password and certificate passwords) before emitting them in the debug logs.

The debug logs also includes raw socket communication; however, the original password is never sent in the clear by any auth mechanisms. The auth exchanges use nonces, so it should not be possible to replay them from the raw socket data; however, the logs may certainly still contain sensitive information since they expose raw document data exchanged with the server (e.g. inserted documents, queries).