Defect #28

LDAP password are exposed in clear in the logs

Added by Yacin Bahi over 10 years ago. Updated over 10 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-
Resolution: Affected version:

Description

debugging information display LDAP password in clear in the developement.log and production.log files.

...cut
Processing AccountController#login (for 10.15.28.114 at 2007-03-28 18:45:37) [POST]
Session ID: 24b78e320a2de5d25615574f8a31e3b2
Parameters: {"action"=>"login", "controller"=>"account",
"login"=>"user11", "password"=>"secretpasswrd"}
User Load (0.002259) SELECT * FROM users WHERE (login='user11') LIMIT 1
AuthSource Load (0.002554) SELECT * FROM auth_sources WHERE (onthefly_register=1)
AuthSource Columns (0.001881) SHOW FIELDS FROM auth_sources
AuthSourceLdap Columns (0.002013) SHOW FIELDS FROM auth_sources
Authenticating 'user11' against 'Company'
DN found for user11: uid=user11,ou=People,o=Company.com
Authentication successful for 'user11'
...cut

History

#1 Updated by Yacin Bahi over 10 years ago

I've updated to the latest code, thx !
--Yacin

#2 Updated by Jean-Philippe Lang over 10 years ago

You're right. This issue was fixed several weeks ago in the code
repository. Now, any parameters containing "password"
are hidden in the logs.

If you can't wait for the next release (that should come in the
next weeks), i suggest you to checkout the latest source from
the trunk:

svn checkout svn://rubyforge.org/var/svn/redmine/trunk

Jean-Philippe

Also available in: Atom PDF