Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password saved in the clear text in the server log. #171

Closed
cezarsn opened this issue Jun 5, 2016 · 2 comments
Closed

Password saved in the clear text in the server log. #171

cezarsn opened this issue Jun 5, 2016 · 2 comments
Assignees
@fix
Milestone
Version 0.3.0

Comments

@cezarsn
Copy link

cezarsn commented Jun 5, 2016
edited by fix

In case of an error of an transaction because of an error in the post request, the hole transaction information including the password and the second passoword is saved on the log of the application. The application should not save user related data into the log.

error 2016-06-05 10:44:06 /api/signatures { [SyntaxError: Unexpected string]
body: '{"--ommited....","secondSecret":"--ommited....","publicKey":"0348axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
status: 400,
statusCode: 400 }
@cezarsn cezarsn changed the title Password saved in the clear test in the server log. Password saved in the clear txst in the server log. Jun 5, 2016
@cezarsn cezarsn changed the title Password saved in the clear txst in the server log. Password saved in the clear text in the server log. Jun 5, 2016
@staticinstance
Copy link

@cezarsn can you give repro steps on this?

@cezarsn
Copy link
Author

cezarsn commented Jun 6, 2016

In case you want to authorise a transfer put in second passphrase a not BIP39 character like '-* or non alphanumeric characters. The request will fail and the POST parameters for the transaction are saved in the log. One of the parameters is the second passphrase.

@karmacoma karmacoma added the ready label Jun 8, 2016
@karmacoma karmacoma added this to the Version 0.3.2 milestone Jun 8, 2016
@fix fix self-assigned this Jun 10, 2016
@fix fix added in progress and removed ready labels Jun 10, 2016
karmacoma added a commit that referenced this issue Jun 12, 2016
@karmacoma
Fixes #171. Snipping secrets from logs.
6f3ed52 
Fixing typo error in multisignature sockets.emit.
@karmacoma karmacoma modified the milestones: Version 0.3.3, Version 0.3.2 Aug 9, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fix fix

Labels
None yet
Projects
None yet
Milestone
Version 0.3.0
Development

No branches or pull requests
4 participants
@karmacoma @fix @cezarsn @staticinstance