Project

General

Profile

Actions

Defect #28

closed

LDAP password are exposed in clear in the logs

Added by Yacin Bahi over 17 years ago. Updated over 17 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:

Description

debugging information display LDAP password in clear in the developement.log and production.log files.

...cut
Processing AccountController#login (for 10.15.28.114 at 2007-03-28 18:45:37) [POST]
Session ID: 24b78e320a2de5d25615574f8a31e3b2
Parameters: {"action"=>"login", "controller"=>"account",
"login"=>"user11", "password"=>"secretpasswrd"}
User Load (0.002259) SELECT * FROM users WHERE (login='user11') LIMIT 1
AuthSource Load (0.002554) SELECT * FROM auth_sources WHERE (onthefly_register=1)
AuthSource Columns (0.001881) SHOW FIELDS FROM auth_sources
AuthSourceLdap Columns (0.002013) SHOW FIELDS FROM auth_sources
Authenticating 'user11' against 'Company'
DN found for user11: uid=user11,ou=People,o=Company.com
Authentication successful for 'user11'
...cut

Actions #1

Updated by Jean-Philippe Lang over 17 years ago

You're right. This issue was fixed several weeks ago in the code
repository. Now, any parameters containing "password"
are hidden in the logs.

If you can't wait for the next release (that should come in the
next weeks), i suggest you to checkout the latest source from
the trunk:

svn checkout svn://rubyforge.org/var/svn/redmine/trunk

Jean-Philippe

Actions #2

Updated by Yacin Bahi over 17 years ago

I've updated to the latest code, thx !
--Yacin

Actions

Also available in: Atom PDF