Closed
Bug 1163541
Opened 9 years ago
Closed 9 years ago
JS XMPP debug logs shouldn't contain the user's password
Categories
(Chat Core :: XMPP, defect)
Chat Core
XMPP
Tracking
(Not tracked)
RESOLVED
FIXED
Instantbird 43
People
(Reporter: florian, Assigned: aleth)
Details
(Whiteboard: [1.6-blocking])
Attachments
(1 file, 3 obsolete files)
8.97 KB,
patch
|
clokep
:
review+
|
Details | Diff | Splinter Review |
Currently when the PLAIN authentication mechanism is used, the debug log contains the user's password.
Assignee | ||
Updated•9 years ago
|
Whiteboard: [1.6-blocking]
Assignee | ||
Comment 1•9 years ago
|
||
Attachment #8645460 -
Flags: review?(clokep)
Comment 2•9 years ago
|
||
Comment on attachment 8645460 [details] [diff] [review]
xmppauthlog.diff
Review of attachment 8645460 [details] [diff] [review]:
-----------------------------------------------------------------
Looks OK, do we need to do anything for GTalk's PlainFullBindAuth? https://mxr.mozilla.org/comm-central/source/chat/protocols/gtalk/gtalk.js#22
Attachment #8645460 -
Flags: review?(clokep) → review+
Assignee | ||
Comment 3•9 years ago
|
||
(In reply to Patrick Cloke [:clokep] from comment #2)
> Looks OK, do we need to do anything for GTalk's PlainFullBindAuth?
> https://mxr.mozilla.org/comm-central/source/chat/protocols/gtalk/gtalk.js#22
Good catch.
Assignee | ||
Comment 4•9 years ago
|
||
Now includes gtalk, legacyAuth, and MUC passwords too.
I haven't tested these three - anyone know any password-protected MUCs and/or servers that don't support SASL?
Attachment #8645460 -
Attachment is obsolete: true
Attachment #8645469 -
Flags: review?(clokep)
Comment 5•9 years ago
|
||
Comment on attachment 8645469 [details] [diff] [review]
xmppauthlog.diff v2
Review of attachment 8645469 [details] [diff] [review]:
-----------------------------------------------------------------
This looks reasonable. We should test this before marking checkin-needed.
Attachment #8645469 -
Flags: review?(clokep) → review+
Assignee | ||
Comment 6•9 years ago
|
||
Tested joining a MUC.
Fixed an edge case where we would select SASL PLAIN even though alternatives were available.
I don't know of a server to test legacy auth with.
Attachment #8645469 -
Attachment is obsolete: true
Attachment #8645482 -
Flags: review?(clokep)
Comment 7•9 years ago
|
||
Comment on attachment 8645482 [details] [diff] [review]
xmppauthlog.diff v3
Review of attachment 8645482 [details] [diff] [review]:
-----------------------------------------------------------------
::: chat/protocols/xmpp/xmpp-session.jsm
@@ +314,2 @@
> let mech = m.innerText;
> + if (mech == "PLAIN") {
Why the change to this._encrypted? That seems unrelated...
Assignee | ||
Comment 8•9 years ago
|
||
(In reply to Patrick Cloke [:clokep] from comment #7)
> > + if (mech == "PLAIN") {
>
> Why the change to this._encrypted? That seems unrelated...
It's moved further down. The point is that if you are on an encrypted connection, then with the code as it was, we'd pick PLAIN immediately in the else clause.
Comment 9•9 years ago
|
||
Comment on attachment 8645482 [details] [diff] [review]
xmppauthlog.diff v3
r- as discussed on IRC to split out the confusing section with encrypted.
Attachment #8645482 -
Flags: review?(clokep) → review-
Assignee | ||
Comment 10•9 years ago
|
||
PLAIN change removed.
I think we should land this unless someone knows any legacy auth servers for testing.
Assignee: nobody → aleth
Attachment #8645482 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #8646551 -
Flags: review?(clokep)
Updated•9 years ago
|
Attachment #8646551 -
Flags: review?(clokep) → review+
Assignee | ||
Comment 11•9 years ago
|
||
url: https://hg.mozilla.org/comm-central/rev/ac1d626163bc50a95ab9f8f84504339a36e3a94c
changeset: ac1d626163bc50a95ab9f8f84504339a36e3a94c
user: aleth <aleth@instantbird.org>
date: Wed Aug 12 01:09:49 2015 +0200
description:
Bug 1163541 - JS XMPP debug logs shouldn't contain the user's password. r=clokep
Assignee | ||
Updated•9 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → Instantbird 43
You need to log in
before you can comment on or make changes to this bug.
Description
•