Bug 5605 – SqueezeNetwork plugin logs SN password to server.log (Debian package)

Bug 5605 - SqueezeNetwork plugin logs SN password to server.log (Debian package)

Summary:

SqueezeNetwork plugin logs SN password to server.log (Debian package)

Status:	RESOLVED FIXED

Product:	Logitech Media Server
Classification:	Unclassified
Component:	SqueezeNetwork Integration
Version:	7.0
Platform:	PC Debian Linux

Importance:	P1 normal (vote)
Target Milestone:	---
Assigned To:	Squeezebox QA Team email alias

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2007-09-28 21:50 UTC by Ben Sandee
Modified:	2007-09-29 06:39 UTC (History)
CC List:	0 users

See Also:
Category:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ben Sandee 2007-09-28 21:50:40 UTC

Running a nightly .deb build of 7.0a, I noticed my SN password in cleartext within the server.logs.  Not a huge deal, but kinda dumb too.  Better to leave it out.

[23:34:48.4194] Slim::Web::Settings::Server::Wizard::handler (115) plugin.musicmagic.port: 10002
[23:34:48.4197] Slim::Web::Settings::Server::Wizard::handler (115) server.weproxy: 
[23:34:48.4204] Slim::Web::Settings::Server::Wizard::handler (115) server.sn_email: tbsandee@pobox.com
[23:34:48.4208] Slim::Web::Settings::Server::Wizard::handler (115) server.sn_password: notmyrealpassword
[23:34:48.4211] Slim::Web::Settings::Server::Wizard::handler (115) server.audiodir: /home/music

Having the password in the logs is just a bad idea because people blindly paste log files into emails, forums, bug reports (!).

Comment 1 Ben Sandee 2007-09-28 22:01:17 UTC

OK, it seems it may be limited to the setup wizard because I wiped the logs and restarted the server and do not see the password any more.

Comment 2 Michael Herger 2007-09-29 06:39:19 UTC

Change 13361 - don't log data entered in the wizard; reduced the log-level to WARN, too