exposed password in log if login failed

[Germar]

I'm not sure if this was because of the wrong permissions for the debug.txt but when I recently logged in and accidental typed a wrong password I found that password in my apache log (XXXXXX in the log below). I think it would be good to add an exception handler so this will not expose in the log.

error.log:

[Wed May 08 18:02:58 2013] [error] [client 192.168.0.165] PHP Warning:  fopen(/usr/share/sabre-zarafa/debug.txt): failed to open stream: Permission denied in /usr/share/sabre-zarafa-0.18/lib/log4php/appenders/LoggerAppenderFile.php on line 99
[Wed May 08 18:02:58 2013] [error] [client 192.168.0.165] PHP Warning:  log4php: [LoggerAppenderRollingFile:fileAppender]: Failed opening target file. Closing appender. in /usr/share/sabre-zarafa-0.18/lib/log4php/LoggerAppender.php on line 283
[Wed May 08 18:02:58 2013] [error] [client 192.168.0.165] PHP Fatal error:  Uncaught exception 'ErrorException' with message 'mapi_logon_zarafa(): 
Unable to setup service for provider' in /usr/share/sabre-zarafa-0.18/ZarafaBridge.php:91
Stack trace:
#0 [internal function]: exception_error_handler(2, 'mapi_logon_zara...', '/usr/share/sabr...', 91, Array)
#1 /usr/share/sabre-zarafa-0.18/ZarafaBridge.php(91): mapi_logon_zarafa('USER', 'XXXXXXX', 'file:///var/run...')
#2 /usr/share/sabre-zarafa-0.18/ZarafaAuthBackend.php(44): Zarafa_Bridge->connect('USER', 'XXXXXXX')
#3 /usr/share/sabre-zarafa-0.18/lib/SabreDAV/lib/Sabre/DAV/Auth/Backend/AbstractBasic.php(77): Zarafa_Auth_Basic_Backend->validateUserPass('USER', 'XXXXXXX')
#4 /usr/share/sabre-zarafa-0.18/lib/SabreDAV/lib/Sabre/DAV/Auth/Plugin.php(108): Sabre\\DAV\\Auth\\Backend\\AbstractBasic->authenticate(Object(Sabre\\DAV\\Server), 'Zarafa SabreDAV...')
#5 [internal function]: Sabre\\DAV\\Auth\\Plugin->beforeMethod('PROPFIND', 'addressbooks/ge...')
#6 /usr/share/sabre-zarafa-0.18/lib/SabreDAV/lib/Sabre/DAV/Server.php(433): c in /usr/share/sabre-zarafa-0.18/ZarafaBridge.php on line 91

server:

Debian 6 Squeeze

$ /usr/sbin/apache2 -v
Server version: Apache/2.2.16 (Debian)
Server built:   Mar  3 2013 11:36:05
$ /usr/bin/php5 -v
PHP 5.3.3-7+squeeze15 with Suhosin-Patch (cli) (built: Mar  4 2013 14:05:25) 
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
    with XCache v1.3.0, Copyright (c) 2005-2009, by mOo
    with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
$ /usr/bin/zarafa-admin -V
Product version:    7,0,13,41388
File version:       41388
$ tail -n 2 /usr/share/sabre-zarafa-0.18/version.inc.php
    define ('SABRE_ZARAFA_REV', '6c07b68');
    define ('SABRE_ZARAFA_DATE', '2013-04-22 13:55:49 +0200');

client:

Ubuntu Quantal 12.10

$ evolution -v
evolution 3.6.2

[ghost]

The root cause is incorrect configuration: the path to debug.txt given in log4php.xml is not absolute. Running fopen() on the underspecified filename causes a PHP error, because the file couldn't be found. This error is caught in server.php by a function that rethrows it as an ErrorException, adding a full stack trace. Problems start when the ErrorException itself is not caught, but instead disappears into a log somewhere, along with the stack trace. That's definitely a problem.

I'll fix this by not rethrowing PHP errors as ErrorExceptions, but just logging the line number and file. We lose the stack traces, but I don't think those are very useful without further context anyway.

[ghost]

Should be improved/solved in commit 7c06c: unhandled errors are caught by a global handler that just logs the error and quits. No more stack traces, no more displaying error messages to end users.

[Germar]

The path is absolute (/usr/share/sabre-zarafa/debug.txt where sabre-zarafa is a symlink to sabre-zarafa-0.18) but during that log was created the debug.txt wasn't writeable for apache user.

Thanks for your efforts on sabre-zarafa. This version works great with Evolution!

[ghost]

This was fixed in 0.20.