Defect #28
closed
LDAP password are exposed in clear in the logs
0%
Description
debugging information display LDAP password in clear in the developement.log and production.log files.
...cut
Processing AccountController#login (for 10.15.28.114 at 2007-03-28 18:45:37) [POST]
Session ID: 24b78e320a2de5d25615574f8a31e3b2
Parameters: {"action"=>"login", "controller"=>"account",
"login"=>"user11", "password"=>"secretpasswrd"}
User Load (0.002259) SELECT * FROM users WHERE (login='user11') LIMIT 1
AuthSource Load (0.002554) SELECT * FROM auth_sources WHERE (onthefly_register=1)
AuthSource Columns (0.001881) SHOW FIELDS FROM auth_sources
AuthSourceLdap Columns (0.002013) SHOW FIELDS FROM auth_sources
Authenticating 'user11' against 'Company'
DN found for user11: uid=user11,ou=People,o=Company.com
Authentication successful for 'user11'
...cut
Updated by Jean-Philippe Lang over 17 years ago
You're right. This issue was fixed several weeks ago in the code
repository. Now, any parameters containing "password"
are hidden in the logs.
If you can't wait for the next release (that should come in the
next weeks), i suggest you to checkout the latest source from
the trunk:
svn checkout svn://rubyforge.org/var/svn/redmine/trunk
Jean-Philippe
Updated by Yacin Bahi over 17 years ago
I've updated to the latest code, thx !
--Yacin