trace leaks user IDs and passwords

Bug #1638166 reported by Michi Henning
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
webapps-sprint
Fix Released
Critical
Alberto Mardegan
online-accounts-api (Ubuntu)
Fix Released
Critical
Alberto Mardegan

Bug Description

When using the online accounts qt API, I see trace produced in my tests such as this:

reply data: QMap(("AccessToken", QVariant(QString, "access_token"))("ExpiresIn", QVariant(int, 0))("GrantedScopes", QVariant(QStringList, ("scope1", "scope2"))))

This is undesirable because it spams stderr; please remove the trace.

Worse, it looks like the user ID and password are printed here in plain text. For example, in the owncloud provider tests, we see this:

reply data: QMap(("Password", QVariant(QString, "pass"))("Username", QVariant(QString, "user")))

Related branches

Revision history for this message
Alberto Mardegan (mardy) wrote :

Confirmed. I'll see if it makes sense to keep the message (but hide it under a different logging category and keep it disabled by default), otherwise I'll just remove the line.

Changed in online-accounts-api (Ubuntu):
status: New → Confirmed
assignee: nobody → Alberto Mardegan (mardy)
Alberto Mardegan (mardy)
information type: Private Security → Public Security
Alberto Mardegan (mardy)
Changed in online-accounts-api (Ubuntu):
status: Confirmed → In Progress
Alberto Mardegan (mardy)
Changed in webapps-sprint:
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Alberto Mardegan (mardy)
milestone: none → sprint-27
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package online-accounts-api - 0.1+17.04.20161101-0ubuntu1

---------------
online-accounts-api (0.1+17.04.20161101-0ubuntu1) zesty; urgency=medium

  * Disable debug output by default (LP: #1638166)

 -- Alberto Mardegan <email address hidden> Tue, 01 Nov 2016 11:09:36 +0000

Changed in online-accounts-api (Ubuntu):
status: In Progress → Fix Released
Alberto Mardegan (mardy)
Changed in webapps-sprint:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.