User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) Build Identifier: Bugzilla Version 2.22.2 I worked at the University of Kansas. We are forming a Quality Assurance group in the Informatic Technology area. We will be using Bugzilla. Another group is already using Bugzila. The person in charge of giving us access to Bugzilla gave my supervision access. The access worked. So I tried to get onto Bugzilla. I was not given access. When I tried to signed on I recieved this System message. Bugzilla::Auth::Verify::LDAP::Authenticate('Bugzilla::Auth::Verify::'LDAP','m-hans', 'my password XXXXX') called. There were two more messages that have my password in them: 'insert_new_user' and 'Verify LDAP'. I cannot reduplicate the situation because I was set up and got into Bugzilla. I think I should informed you of the situation. No one should have the password displayed on a system message. You can contact me at firstname.lastname@example.org for further information. I think I gave all the information that was displayed to me. Thanks Michael Harmon Reproducible: Couldn't Reproduce Steps to Reproduce: 1. 2. 3.
So what you mean is that this occurs the very first time when you have no account yet, and that you don't get this error anymore when trying to log in again later?
(In reply to comment #0) > I was not given access. When I tried to signed on I recieved this System > message. To be clear, what do you mean by "System message"? Did you get it in your web browser, in your web server log or anywhere else?
I think what we need to do here is disable CGI::Carp's fatalsToBrowser during any call which might include someone's password. To be clear, this situation should be relatively rare, which is why I'm marking this as minor. Something would have to actually "die" or "confess" with a backtrace that involved the password.
In Bugzilla 3.0, I re-wrote the Auth system to pass around hashrefs instead of directly passing around the username and password as strings. That means that if there's a crash in this code, it will simply display something like HASH(0x1298fade) instead of the password. So that makes this WFM as of Bugzilla 3.0 or later.