Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Release v1.1.12 #16

Merged
merged 1 commit into from Apr 5, 2013

Conversation

Projects
None yet
1 participant
Collaborator

hakre commented Apr 5, 2013

This release fixes a potential security issue: In case the password started with the @ symbol, curl would have tried to transfer a file named like it (because of the @ in it's beginng). Transferring such a file would be a problem on it's own. But even if not, the exception message that informs about the failure contains the password in plaintext (only the @ missing) then. If those messages are passed to the user without further checks, the password would have been leaked. Same for storing the error messages into log-files.

An exemplary error message for the exemplary password @password is:

Curl error: (#26) couldn't open file "password" CODE_CURL_ERROR

This has been fixed now as this is a flaw. Instead the login now works or the following exception is given:

Login unsuccessful. CODE_LOGIN_ERROR.

Which is the common and intended exception for any wrong password.

If you have used a password starting with the @ symbol previously, change your dropbox password after update. Also scan the log for error messages in the pattern as given above and alter the files to remove the sensitive information.

Changes in this version:

  • Fix that allows "@" ("\x40") as first character in passwords. Fixes a
    security issue. See Issue #15
  • Fix error message on empty email address. Introduced in 7a12003
Version bump v1.1.12
- Fix that allows "@" ("\x40") as first character in passwords. Fixes a
  security issue. See Issue #15
- Fix error message on empty email address. Introduced in 7a12003

hakre added a commit that referenced this pull request Apr 5, 2013

@hakre hakre merged commit d591829 into jakajancar:master Apr 5, 2013

@hakre hakre deleted the hakre:patch-email-and-password branch Apr 5, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment