Passwords written (not hidden or hashed) in log files #10175
Comments
|
GitMate.io thinks possibly related issues are #293 (Log still written as owncloud.log), #8104 (clear text password in log file when ldap not available), #2304 (Config error should not lead to user passwords in log), #2631 (Warning logged when logging in with an email address and password.), and #7217 (Decrypt a file when username and password known). |
|
Hi little bot, |
|
@bseclier I guess you are talking about this entry: The @nickvergessen Any chance to hide it only for queries to oc_authtoken? |
|
That is where it needs to be added: https://github.com/nextcloud/server/blob/master/lib/private/Log/ExceptionSerializer.php |
|
@MorrisJobke no it is not in that query as there the password is encrytped anyways already it is in the stacktrace at server/lib/private/User/Session.php Line 620 in 8c47a63 |
|
You're right @rullzer ! |
|
time to raise priority on a little script which looks for parameter names and checks that the method name is in the block list, he? Anyway, I guess adding |
|
Fix is in #10193 |
Hi,
We are facing some troubles here. Looking into my logfile, I can see all my user's passwords, not hidden. Here is the kind of log (in the text file attached). I replaced the real password by PASSWORD HERE NOT HIDDEN and the true login by MY LOGIN.
It seems that when OC\User\Session->createSessionToken is logged, we can see the password.
Here is my log configuration (in WARN mode) :
'logfile' => '',
'log_type' => 'syslog',
'loglevel' => '2',
'syslog_tag' => 'nextcloud',
Thanks for taking care of it.
Cheers,
nextcloud.log
The text was updated successfully, but these errors were encountered: