View Issue Details

IDProjectCategoryView StatusLast Update
0002953SOGoBackend Generalpublic2014-11-21 20:35
Reporterfranta Assigned Tofrancis  
Status resolvedResolutionfixed 
Product Version2.2.9a 
Fixed in Version2.2.10 
Summary0002953: Database password should not leak in logs

When there is a problem with connecting to DB, the error is logged. The bad thing is that it logs whole DB URL including database password.

Oct 14 12:01:21 sogod [1817]: [ERROR] <0x0x7fb37c0fb7e0[GCSChannelManager]> could not open channel <0x0x7fb37bf481d0[PostgreSQL72Channel]: not-connected> for URL: postgresql://sogo:XXX_THERE_IS_PASSWORD_XXX@localhost:5432/postgres/sogo_user_profile

Oct 14 12:04:07 sogod [1818]: <0x0x7fb37c0fb7e0[GCSChannelManager]> db for postgresql://sogo:XXX_THERE_IS_PASSWORD_XXX@localhost:5432/postgres/sogo_sessions_folder is now back up

Steps To Reproduce

Shutdown SQL server, try to use SOGo and lookup your DB URL in the log file.

Additional Information

Only members of adm group has permission to the /var/log/sogo/ directory - but despite this fact, the password should not leak in log files. Hostname+username+dbname is enough for debugging purposes.

TagsNo tags attached.

Issue History

Date Modified Username Field Change
2014-10-14 15:46 franta New Issue
2014-10-14 16:55 francis Note Added: 0007609
2014-10-14 16:55 francis Status new => resolved
2014-10-14 16:55 francis Fixed in Version => 2.2.10
2014-10-14 16:55 francis Resolution open => fixed
2014-10-14 16:55 francis Assigned To => francis
2014-11-21 20:35 ludovic View Status private => public