[RCD] [PATCH]: Hide passwords in imap log
Jonas Meurer
jonas at freesources.org
Tue Nov 17 17:57:14 CET 2009
hey,
On 17/11/2009 Chris January wrote:
> I noticed that passwords are output in plain text to the imap log file if
> imap_debug is set to true in main.inc.php. If I don't configure my web
> server correctly (e.g. don't set AllowOverride with Apache) then the log
> file may be downloaded from the logs directory, exposing the passwords.
> Obviously it pays to make sure that my web server is configured correctly,
> but since this is an easy mistake to make I think it would be worthwhile
> masking passwords in the imap debug log.
> I attach a patch that does just that.
yes, please please accept this patch upstream. i consider it as
a major security issue if plaintext passwords are logged to a
logfile, even if that's only with debugging options enabled.
greetings,
jonas
--- 8< --- detachments --- 8< ---
The following attachments have been detached and are available for viewing.
http://detached.gigo.com/rc/14/wA9CuLwM/signature.asc
Only click these links if you trust the sender, as well as this message.
--- 8< --- detachments --- 8< ---
-------------- next part --------------
_______________________________________________
List info: http://lists.roundcube.net/dev/
More information about the Dev
mailing list