Don't print parameter values in logs, in productionmode

Bug #1570221 reported by Aaron Wells on 2016-04-14
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Medium
Aaron Wells
15.04
Medium
Aaron Wells
15.10
Medium
Aaron Wells
16.04
Medium
Aaron Wells
16.10
Medium
Aaron Wells

Bug Description

Following on from Bug 1567186, even scrubbing out parameters that we know to be passwords, is not a fool-proof way to keep passwords and sensitive data out of the logs. Params might be misnamed, or sensitive data might be passed through general-purpose functions.

The only surefire way to prevent secure data from being printed to the logs, is to avoid printing parameter values in stacktraces at all. However, parameter values are useful for debugging, so I think we should show them productionmode=false, and hide them when productionmode=true.

CVE References

Aaron Wells (u-aaronw) wrote :
Changed in mahara:
milestone: none → 16.10.0
importance: Undecided → Medium
assignee: nobody → Aaron Wells (u-aaronw)
status: New → In Progress
Aaron Wells (u-aaronw) wrote :

Patch is ready for merging in the next security release.

Changed in mahara:
status: In Progress → Fix Committed
summary: - No parameter values in logs, in productionmode
+ Don't print parameter values in logs, in productionmode

Reviewed: https://reviews.mahara.org/6813
Committed: https://git.mahara.org/mahara/mahara/commit/b984a1b40700e37f120019cae7fc5a681c9c092a
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit b984a1b40700e37f120019cae7fc5a681c9c092a
Author: Aaron Wells <email address hidden>
Date: Thu Apr 14 19:52:42 2016 +1200

Bug 1570221 Don't print parameter values to logs when in production mode

The best way to prevent sensitive data from being printed to the logs
is to avoid printing the value of *any* parameter. For instance, a
password parameter may have an unusual name, or it may be passed
through a general-purpose function like "strlen()".

Since parameter values are useful for debugging, we can still print
them when not in production mode (although with known password
params still scrubbed out).

Note this patch both scrubs likely password params, and hides their
scrubbed value. That's mostly because I'm lazy, but it also obscures
the password's actual length.

Change-Id: I4a1ab4c89a169c6b29a7b63384c2412cee761ab7
behatnotneeded: Can't test with behat
(cherry picked from commit 9a2972495d55c55633f1fa10522cd567933ecf6f)

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/6811
Committed: https://git.mahara.org/mahara/mahara/commit/cadbbf5c0c771ecfe489229e68f1fa2154ff157c
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.04_STABLE

commit cadbbf5c0c771ecfe489229e68f1fa2154ff157c
Author: Aaron Wells <email address hidden>
Date: Thu Apr 14 19:52:42 2016 +1200

Bug 1570221 Don't print parameter values to logs when in production mode

The best way to prevent sensitive data from being printed to the logs
is to avoid printing the value of *any* parameter. For instance, a
password parameter may have an unusual name, or it may be passed
through a general-purpose function like "strlen()".

Since parameter values are useful for debugging, we can still print
them when not in production mode (although with known password
params still scrubbed out).

Note this patch both scrubs likely password params, and hides their
scrubbed value. That's mostly because I'm lazy, but it also obscures
the password's actual length.

Change-Id: I4a1ab4c89a169c6b29a7b63384c2412cee761ab7
behatnotneeded: Can't test with behat
(cherry picked from commit 9a2972495d55c55633f1fa10522cd567933ecf6f)

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/6812
Committed: https://git.mahara.org/mahara/mahara/commit/b3840bbb3e67bb733c0f862d9b01c2d575591831
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.10_STABLE

commit b3840bbb3e67bb733c0f862d9b01c2d575591831
Author: Aaron Wells <email address hidden>
Date: Thu Apr 14 19:52:42 2016 +1200

Bug 1570221 Don't print parameter values to logs when in production mode

The best way to prevent sensitive data from being printed to the logs
is to avoid printing the value of *any* parameter. For instance, a
password parameter may have an unusual name, or it may be passed
through a general-purpose function like "strlen()".

Since parameter values are useful for debugging, we can still print
them when not in production mode (although with known password
params still scrubbed out).

Note this patch both scrubs likely password params, and hides their
scrubbed value. That's mostly because I'm lazy, but it also obscures
the password's actual length.

Change-Id: I4a1ab4c89a169c6b29a7b63384c2412cee761ab7
behatnotneeded: Can't test with behat
(cherry picked from commit 9a2972495d55c55633f1fa10522cd567933ecf6f)

Robert Lyon (robertl-9) on 2016-08-08
information type: Private Security → Public Security
Robert Lyon (robertl-9) on 2016-10-21
Changed in mahara:
milestone: 16.10.0 → none
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers