OCA\\Encryption\\Controller\\SettingsController->updatePrivateKeyPassword displays password in plain text when logged #23717

Closed
gnohp opened this Issue Mar 31, 2016 · 2 comments

Projects

None yet

4 participants

@gnohp
gnohp commented Mar 31, 2016

Steps to reproduce

  1. Change AD user password (Assuming user account previously logged into ownCloud and private/public keys exist)
  2. Log in to ownCloud with new password
  3. Go to Personal > ownCloud basic encryption module
  4. Type old password in old password textbox
  5. Type new password in new password textbox
  6. Click Update

Expected behaviour

Update successfully with green status bar

Actual behaviour

Updated private key but found a log entry due to an exception from getLDAPUserByLoginName. This displays the old and new password in plain text from updatePrivateKeyPassword. I would expect updatePrivateKeyPassword to replace the password text with a text similar to *** password replaced ***.

Server configuration

Operating system:
CentOS 6.6

Web server:
Apache

Database:
Galera Cluster

PHP version:
5.6

ownCloud version: (see ownCloud admin page)
9.0.0

Updated from an older ownCloud or fresh install:
8.2.3

Are you using external storage, if yes which one: local/smb/sftp/...
no

Are you using encryption: yes/no
yes

Logs

ownCloud log (data/owncloud.log)

Exception: {"Exception":"Exception","Message":"No user available for the given login name.","Code":0,"Trace":"#0 /var/www/html/owncloud/apps/user_ldap/user_ldap.php(120): OCA\user_ldap\USER_LDAP->getLDAPUserByLoginName('GUID...')\n#1 /var/www/html/owncloud/lib/private/user/manager.php(183): OCA\user_ldap\USER_LDAP->checkPassword(*** username and password replaced _)\n#2 /var/www/html/owncloud/apps/encryption/controller/settingscontroller.php(113): OC\User\Manager->checkPassword(_ username and password replaced ***)\n#3 [internal function]: OCA\Encryption\Controller\SettingsController->updatePrivateKeyPassword('PASSWORD SHOWN IN PLAIN TEXT', 'PASSWORD SHOWN IN PLAIN TEXT')\n#4 /var/www/html/owncloud/lib/private/appframework/http/dispatcher.php(159): call_user_func_array(Array, Array)\n#5

@LukasReschke LukasReschke added this to the 9.0.2-next-maintenance milestone Apr 1, 2016
@LukasReschke LukasReschke added the bug label Apr 1, 2016
@LukasReschke
Member

Patch for future log entries is at #23722

@gnohp
gnohp commented Apr 1, 2016

Thanks @LukasReschke! Verified it's fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment