[RCD] [PATCH]: Hide passwords in imap log

Chris January chris at atomice.net
Tue Nov 17 14:11:56 CET 2009


Hello,

I noticed that passwords are output in plain text to the imap log file if
imap_debug is set to true in main.inc.php. If I don't configure my web
server correctly (e.g. don't set AllowOverride with Apache) then the log
file may be downloaded from the logs directory, exposing the passwords.
Obviously it pays to make sure that my web server is configured correctly,
but since this is an easy mistake to make I think it would be worthwhile
masking passwords in the imap debug log.
I attach a patch that does just that.

Regards,
Chris January

-- 
http://www.atomice.com



 --- 8< --- detachments --- 8< ---
 The following attachments have been detached and are available for viewing.
  http://detached.gigo.com/rc/1s/eZkh2HNv/imap-log-hide-passwo.patch
 Only click these links if you trust the sender, as well as this message.
 --- 8< --- detachments --- 8< ---

-------------- next part --------------
_______________________________________________
List info: http://lists.roundcube.net/dev/


More information about the Dev mailing list