User information leaking through debug log prints. #116
Milestone
Comments
|
I believe #118 is a better fix. |
mario
added a commit
that referenced
this issue
Feb 12, 2018
Fixes #116: Remove leaking of user sensitive information
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
adb logcat reveals several debug log entries marked with "GetRemoteUserInfoOperation". Here is one example.
02-09 23:12:33.410 28516 3060 D GetRemoteUserInfoOperation: Successful response: {"ocs":{"meta":{"status":"ok","statuscode":100,"message":"OK","totalitems":"","itemsperpage":""},"data":{"enabled":"true","id":"xxx","quota":{"free":110406975803,"used":50654297797,"total":161061273600,"relative":31.45,"quota":161061273600},"email":"xxx@xxx.xx","phone":"","address":"","website":"https:\/\/redacted.com","twitter":"@redacted","groups":["admin"],"language":"en","display-name":"Redacted"}}}It makes sense to print these as a debugging measure, but it doesnt belong in a production ready deployment. My recommendation would either be to use a wrapper class to filter the log prints away from RELEASE builds or use Proguard to filter out the debug code completely.
The text was updated successfully, but these errors were encountered: