[rt-users] Security risk! Passwords can be compromised!

Rob Munsch rob.munsch at gmail.com
Thu Feb 5 17:02:07 EST 2009


On Thu, Feb 5, 2009 at 3:47 PM, Jesse Vincent <jesse at bestpractical.com> wrote:
>
>
>
> On Tue  3.Feb'09 at 22:37:59 -0500, Isaac Vetter wrote:
>> > The docs for 'LogStackTrace' have been updated as follows. How do
>> > folks feel about the new notice?
>> >
>> > If set then logging will include stack
>> >  traces for messages with level equal or greater than
>> > specified.
>> >
>> > NOTICE: Stack traces include parameters that functions or methods
>> > were called with. It is possible for stack trace logging to reveal sensitive
>> > information such as passwords and ticket content in your logs.
>>
>> Jesse,
>>
>> Since you're asking (and towards the goal of something useful coming from
>> this thread). :)
>>
>> I would say that, in this case, you shouldn't end a sentence with a
>> preposition.
>>
>> How about:
>> "Stack traces include the parameters of called functions."
>> or
>> "Stack traces include the parameters used within methods and functions."
>> or
>> ...
>
> I've just checked in this:
>
> NOTICE: Stack traces include parameters supplied to functions or
> methods. It is possible for stack trace logging to reveal sensitive
> information such as passwords or ticket content in your logs.

That sounds perfect.  Once i was done testing ExternalAuth, i turned
off stack traces then manually blew away those sections of the logs
that contained the passwords anyway, just to keep in paranoia
practice.

-- 
/chown -R us:us /yourbase



More information about the rt-users mailing list