Closed Bug 13061 Opened 25 years ago Closed 25 years ago

Security risk: bugzilla passwords show up in stdout

Categories

(SeaMonkey :: General, defect, P3)

Product:
SeaMonkey
Component:
General
Platform:
x86
Other
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: cmaximus, Assigned: kmcclusk)

Details

Target Milestone: M1
t
h
i
s

i
s

a

t
e
s
t
Target Milestone: M1 → M11
marking m11.

cc'ing davidm and morse.  they should know more about this than I do.


I've see this before though.  as I type my mail news password, the characters
show up in the console.
checked in a "fix".

I don't see the "one character per line" behaviour, but I do see the
"mPassword text is XXXXX" behaviour, which is scary too.

jfrancis and buster:  I just checked in a change to
mozilla/editor/base/nsTextEditRules.cpp
so that the code that prints out "mPassword text is XXXXX" is wrapped with
#ifdef DEBUG_jfrancis and #ifdef DEBUG_buster, depending on who wrote the code.

marking fixed.
Status: RESOLVED → REOPENED
the one character per line thing has nothing to do with this bug really.
That was some wierd text field widget thing. I still see a problem with the
1999090708 Linux build. If I go to the Bugzilla main page and select 'forget
current login' and then 'change password' I'm presented with the standard bugzilla
login page. If I type in my name and password and click 'Login' the following is
printed to the console.
Bugzilla_login=claudius%40netscape.com&Bugzilla_password=XXXXXX&GoAheadAndLogin=
login

where of course XXXXXX is my password in clear text.
Status: REOPENED → ASSIGNED
claudius, the problem that you describe is caused by someone in the code doing a
printf of the url, probably for some debugging reason.

I'll try to hunt it down and wrap it with some #ifdef DEBUG_<author> lines.

accepting.
Resolution: FIXED → ---
Clearing Fixed resolution due to reopen.
Target Milestone: M11 → M10
Move milestone stoppers to M10
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → WORKSFORME
I don't think this is still happening.  marking works for me.
Status: RESOLVED → REOPENED
still happens exactly as I stated in my comments from 09/07 which seems
different from what you fixed prior to that.
Target Milestone: M10 → M12
QA Contact: leger → claudius
Resolution: WORKSFORME → ---
Clearing WORKSFORME resolution due to Reopen.
Assignee: sspitzer → don
Status: REOPENED → NEW
Summary: passwords show up in stdout → bugzilla passwords show up in stdout
Seems like we're not talking about mail/news passwords here; reassigning to don.
Move to M13.
Assignee: don → danm
Summary: bugzilla passwords show up in stdout → Security risk: bugzilla passwords show up in stdout
Isn't this a generic dialog problem?
danm.  Reassign to me if you're swamped, I can look at this too.
Assignee: danm → karnaze
Target Milestone: M13
When I follow Claudius' instructions from 09/07/99, I see form submission debug output,
not generic dialog output. Reassigning for consideration to karnaze, who owns the printfs
in question (DebugPrint and its use in nsFormFrame::OnSubmit).
Assignee: karnaze → kmcclusk
Reassigning to Kevin.
Status: NEW → ASSIGNED
Target Milestone: M13
Status: ASSIGNED → RESOLVED
Closed: 25 years ago25 years ago
Resolution: --- → FIXED
Fixed in 1/6/2000 2:07PM build. I commented out the lines that where printing
the contents of form elements when the form was submitted.
Status: RESOLVED → VERIFIED
VERIFIED fixed with 20000111 builds
Product: Browser → Seamonkey
You need to log in before you can comment on or make changes to this bug.