Password visible if app is launch within a shell

[rapha8l]

Hi,

Thanks for your installer, which is very helpful.
A little thing bothered me, as I launched the app from within a shell, I saw my password clearly written in stdout in the shell.
I think it would be better if it was obfuscated, even if launching from a shell may be not the main way to start ubports-installer.
regards

[NeoTheThird]

Weird, that shouldn't happen... https://github.com/ubports/ubports-installer/blob/master/src/utils.js#L140. I'll have to investigate where that's coming from.

I think it would be better if it was obfuscated, even if launching from a shell may be not the main way to start ubports-installer.

Of course, this needs to be fixed. Logging the password in clear text is a no-go. Sorry about that and thanks for reporting.

[rapha8l]

Thanks for you reply.
I used the UBports Installer 0.1.8-beta deb package (maybe it's working normally in head)

[NeoTheThird]

No, it doesn't. Something is going wrong.

[timsueberkrueb]

Hey Jan, I believe it's coming from here:

ubports-installer/src/utils.js

Line 244 in 9b8d6e2

log.debug("Running platform tool exec asar cmd "+cmd);

[mjsir911]

This is a problem for me too, makes it harder to report logs.

Difference between just copy-pasting and having to go through the logs myself to remove any sensitive data

debug: Running platform tool exec asar cmd echo ***password*** | sudo -S fastboot devices

[timsueberkrueb]

This is particularly alarming as the automatic bug report feature leads to user passwords being uploaded to paste.ubuntu.com.
@mariogrip @NeoTheThird

[NeoTheThird]

Fixed in 598841d for now. Sorry it took so long, everyone!