production_error.log may contain plaintext passwords


(Michael - DiscourseHosting.com) #1

While researching the previous bug we encountered a nasty password disclosure bug.
I don’t know if this is a standard Rails issue, or a Thin issue, or a Discourse issue, so feel free to close this if inappropriate.

The asterisks in the snippet from production_error.log below have been put there by me. It contained plaintext username/password.

 <hash>
  <date type="datetime">2013-10-13T11:39:08+00:00</date>
  <guid>7bf6f3bd-bbaa-421a-b84b-1821bb0302b5</guid>
  <user-id type="integer">1</user-id>
  <request>{"username"=&gt;"****", "password"=&gt;"*******", "redirect"=&gt;"http://******.discoursehosting.net/", "action"=&gt;"enter", "controller"=&gt;"static"}</request>
  <action>enter</action>
  <controller>static</controller>

(Sam Saffron) #2

My bug, fixed in master

https://github.com/discourse/discourse/commit/e5fbdde56f3fa6b10384d814662ae515acfb70f5


(Sam Saffron) #3

This topic was automatically closed after 1 day. New replies are no longer allowed.