trace leaks user IDs and passwords

Bug #1638166 reported by Michi Henning
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
webapps-sprint
Critical
Alberto Mardegan
online-accounts-api (Ubuntu)
Critical
Alberto Mardegan

Bug Description

When using the online accounts qt API, I see trace produced in my tests such as this:

reply data: QMap(("AccessToken", QVariant(QString, "access_token"))("ExpiresIn", QVariant(int, 0))("GrantedScopes", QVariant(QStringList, ("scope1", "scope2"))))

This is undesirable because it spams stderr; please remove the trace.

Worse, it looks like the user ID and password are printed here in plain text. For example, in the owncloud provider tests, we see this:

reply data: QMap(("Password", QVariant(QString, "pass"))("Username", QVariant(QString, "user")))

Related branches

Revision history for this message
Alberto Mardegan (mardy) wrote :

Confirmed. I'll see if it makes sense to keep the message (but hide it under a different logging category and keep it disabled by default), otherwise I'll just remove the line.

Changed in online-accounts-api (Ubuntu):
status: New → Confirmed
assignee: nobody → Alberto Mardegan (mardy)
Alberto Mardegan (mardy)
information type: Private Security → Public Security
Alberto Mardegan (mardy)
Changed in online-accounts-api (Ubuntu):
status: Confirmed → In Progress
Alberto Mardegan (mardy)
Changed in webapps-sprint:
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Alberto Mardegan (mardy)
milestone: none → sprint-27
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package online-accounts-api - 0.1+17.04.20161101-0ubuntu1

---------------
online-accounts-api (0.1+17.04.20161101-0ubuntu1) zesty; urgency=medium

  * Disable debug output by default (LP: #1638166)

 -- Alberto Mardegan <email address hidden> Tue, 01 Nov 2016 11:09:36 +0000

Changed in online-accounts-api (Ubuntu):
status: In Progress → Fix Released
Alberto Mardegan (mardy)
Changed in webapps-sprint:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers