Defect #28

LDAP password are exposed in clear in the logs

Added by Yacin Bahi almost 16 years ago. Updated almost 16 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:


Target version:-
Resolution: Affected version:


debugging information display LDAP password in clear in the developement.log and production.log files.

Processing AccountController#login (for at 2007-03-28 18:45:37) [POST]
Session ID: 24b78e320a2de5d25615574f8a31e3b2
Parameters: {"action"=>"login", "controller"=>"account",
"login"=>"user11", "password"=>"secretpasswrd"}
User Load (0.002259) SELECT * FROM users WHERE (login='user11') LIMIT 1
AuthSource Load (0.002554) SELECT * FROM auth_sources WHERE (onthefly_register=1)
AuthSource Columns (0.001881) SHOW FIELDS FROM auth_sources
AuthSourceLdap Columns (0.002013) SHOW FIELDS FROM auth_sources
Authenticating 'user11' against 'Company'
DN found for user11: uid=user11,ou=People,
Authentication successful for 'user11'


#1 Updated by Yacin Bahi almost 16 years ago

I've updated to the latest code, thx !

#2 Updated by Jean-Philippe Lang almost 16 years ago

You're right. This issue was fixed several weeks ago in the code
repository. Now, any parameters containing "password"
are hidden in the logs.

If you can't wait for the next release (that should come in the
next weeks), i suggest you to checkout the latest source from
the trunk:

svn checkout svn://


Also available in: Atom PDF