[chirp_devel] Security BUG: Chirp is leaking users passwords in the debug.log

[Pavel Milanes]

Hi Dan et al,

I was working recently on a Chirp's issue and a user uploaded a 
debug.log for me... the debug.log has the passwords of an online service 
in plain text. the issue page was removed as per user request to 
maintain his privacy (I would had erased only the uploaded log and not 
the entire issue page, but I was offline at that time.)

That is from any point of view a security risk and unacceptable, Chirp 
can't leak user's credentials.

You can see a sample of a log (password obfuscated to "password" for 
security reason) in this comment:

https://chirp.danplanet.com/issues/5481#note-11

I ask to Dan and others about the correct curse of action, as I see we 
have a few options:

 1. Don't log the XML data at all (this will make difficult to debug it)
 2. Parse the XML data output and remove/obfuscate the password before
    printing to debug.log
 3. #2 plus some command line switch to only log the clear text
    credentials by demand of the user/dev.
 4. Other?

Number 2 is the obvious option, but I don't have a online account to 
test not the connectivity and time to test it.

Who take it to fix it? Dan? Others?

Maybe I'm with the paranoia setting to high...

Cheers, Pavel.

-- 
73 CO7WT, Pavel.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://intrepid.danplanet.com/pipermail/chirp_devel/attachments/20180111/9d6f0405/attachment-0001.html