hey, On 17/11/2009 Chris January wrote: > I noticed that passwords are output in plain text to the imap log file if > imap_debug is set to true in main.inc.php. If I don't configure my web > server correctly (e.g. don't set AllowOverride with Apache) then the log > file may be downloaded from the logs directory, exposing the passwords. > Obviously it pays to make sure that my web server is configured correctly, > but since this is an easy mistake to make I think it would be worthwhile > masking passwords in the imap debug log. > I attach a patch that does just that.
yes, please please accept this patch upstream. i consider it as a major security issue if plaintext passwords are logged to a logfile, even if that's only with debugging options enabled. greetings, jonas --- 8< --- detachments --- 8< --- The following attachments have been detached and are available for viewing. http://detached.gigo.com/rc/14/wA9CuLwM/signature.asc Only click these links if you trust the sender, as well as this message. --- 8< --- detachments --- 8< ---
_______________________________________________ List info: http://lists.roundcube.net/dev/
