-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
exposed password in log if login failed #5
Comments
The root cause is incorrect configuration: the path to debug.txt given in log4php.xml is not absolute. Running fopen() on the underspecified filename causes a PHP error, because the file couldn't be found. This error is caught in server.php by a function that rethrows it as an ErrorException, adding a full stack trace. Problems start when the ErrorException itself is not caught, but instead disappears into a log somewhere, along with the stack trace. That's definitely a problem. I'll fix this by not rethrowing PHP errors as ErrorExceptions, but just logging the line number and file. We lose the stack traces, but I don't think those are very useful without further context anyway. |
Should be improved/solved in commit 7c06c: unhandled errors are caught by a global handler that just logs the error and quits. No more stack traces, no more displaying error messages to end users. |
The path is absolute (/usr/share/sabre-zarafa/debug.txt where sabre-zarafa is a symlink to sabre-zarafa-0.18) but during that log was created the debug.txt wasn't writeable for apache user. Thanks for your efforts on sabre-zarafa. This version works great with Evolution! |
This was fixed in 0.20. |
I'm not sure if this was because of the wrong permissions for the debug.txt but when I recently logged in and accidental typed a wrong password I found that password in my apache log (XXXXXX in the log below). I think it would be good to add an exception handler so this will not expose in the log.
error.log:
server:
Debian 6 Squeeze
client:
Ubuntu Quantal 12.10
The text was updated successfully, but these errors were encountered: