trace leaks user IDs and passwords
Bug #1638166 reported by
Michi Henning
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| webapps-sprint |
Fix Released
|
Critical
|
Alberto Mardegan | ||
| online-accounts-api (Ubuntu) |
Fix Released
|
Critical
|
Alberto Mardegan | ||
Bug Description
When using the online accounts qt API, I see trace produced in my tests such as this:
reply data: QMap(("
This is undesirable because it spams stderr; please remove the trace.
Worse, it looks like the user ID and password are printed here in plain text. For example, in the owncloud provider tests, we see this:
reply data: QMap(("Password", QVariant(QString, "pass")
Related branches
lp://staging/~mardy/online-accounts-api/debug-1638166
- Alexandre Abreu (community): Approve
-
Diff: 99 lines (+19/-5)5 files modifiedsrc/lib/OnlineAccounts/CMakeLists.txt (+4/-0)
src/lib/OnlineAccounts/authentication_reply.cpp (+4/-3)
src/lib/OnlineAccounts/global.h (+5/-0)
src/lib/OnlineAccounts/manager.cpp (+4/-1)
src/lib/OnlineAccounts/request_access_reply.cpp (+2/-1)
Revision history for this message
| Alberto Mardegan (mardy) wrote | #1 |
| Changed in online-accounts-api (Ubuntu): | |
| status: | New → Confirmed |
| assignee: | nobody → Alberto Mardegan (mardy) |
| information type: | Private Security → Public Security |
| Changed in online-accounts-api (Ubuntu): | |
| status: | Confirmed → In Progress |
| Changed in webapps-sprint: | |
| status: | New → In Progress |
| importance: | Undecided → Critical |
| assignee: | nobody → Alberto Mardegan (mardy) |
| milestone: | none → sprint-27 |
Revision history for this message
| Launchpad Janitor (janitor) wrote | #2 |
| Changed in online-accounts-api (Ubuntu): | |
| status: | In Progress → Fix Released |
| Changed in webapps-sprint: | |
| status: | In Progress → Fix Released |
To post a comment you must log in.
Confirmed. I'll see if it makes sense to keep the message (but hide it under a different logging category and keep it disabled by default), otherwise I'll just remove the line.