New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using encryption logs user password in clear-text #6576
Comments
We are doing this already: Lines 63 to 99 in b68609d
Do you want to send a pull request to extend the list of methods? 😉 As for the recoverable password. There are multiple reasons, one is that we might need it for external storages anyway. |
I can try... Altough I'm at least 2 PR behind in my plan, because last weekend was stupidly full again ;-) So I most likely won't have time to tend to this until this weekend... |
Hmm... I just got around to test this, but the at least in the 13.0.0a version the problem does not exist (at least without 2FA, but I cannot find the 2FA-app for this version yet). Has something changed in regards to the loggin procedure, if the app token has no access to the file system? I can and will however make a "blind" PR, simply adding the affected methods in the log to the array. //edit: In this context, how does one censor this line:
|
Try |
I created the PR, I guess we can close this... |
Close it once it is merged ;) Or use Githubs automatic closing feature https://help.github.com/articles/closing-issues-using-keywords/ 😉 |
Problem description
While logging issue #6541, I noticed that in my NC log, the user password and token of the affected user were logged in clear-text, although other sensitive information was obfuscated:
excerpt from log file
I denoted:
I was quite surprised to say the least to even find the user's password and (partial) token in cleartext in the logs, because this means, it has to be saved somewhere in a recoverable state.
So I guess this report is to:
General server configuration
Operating system: Linux hermes 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2+deb8u3 (2017-08-15) x86_64
Web server: nginx/1.12.1 (fpm-fcgi)
Database: pgsql PostgreSQL 9.4.13 on x86_64-unknown-linux-gnu, compiled by gcc (Debian 4.9.2-10) 4.9.2, 64-bit
PHP version: 7.0.23-1~dotdeb+8.1
PHP-modules loaded
Nextcloud configuration
Nextcloud version: 12.0.3 RC2 - 12.0.3.1
Updated from an older Nextcloud/ownCloud or fresh install: YOUR ANSWER HERE
Where did you install Nextcloud from: YOUR ANSWER HERE
Are you using external storage, if yes which one: Array
(
[0] => \OC\Files\Storage\Local
[1] => \OCA\Files_External\Lib\Storage\FTP
[2] => \OC\Files\Storage\DAV
[3] => \OCA\Files_External\Lib\Storage\OwnCloud
[4] => \OCA\Files_External\Lib\Storage\SFTP
[5] => \OCA\Files_External\Lib\Storage\AmazonS3
[6] => \OCA\Files_External\Lib\Storage\Dropbox
[7] => \OCA\Files_External\Lib\Storage\Google
[8] => \OCA\Files_External\Lib\Storage\Swift
[9] => \OCA\Files_External\Lib\Storage\SFTP
[10] => \OCA\Files_External\Lib\Storage\SMB
[11] => \OCA\Files_External\Lib\Storage\SMB
)
Are you using encryption: yes
Are you using an external user-backend, if yes which one:
Signing status
This is discussed here nextcloud/calendar#600
Enabled apps
Disabled apps
Content of config/config.php
Client configuration
Browser: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.113 Chrome/60.0.3112.113 Safari/537.36
Operating system: Ubuntu 16.10
The text was updated successfully, but these errors were encountered: