https://bugs.kde.org/show_bug.cgi?id=505561
Bug ID: 505561
Summary: akonadi_ews_resource log messages logs user password
in plain text
Classification: Frameworks and Libraries
Product: Akonadi
Version First unspecified
Reported In:
Platform: Fedora RPMs
OS: Linux
Status: REPORTED
Severity: critical
Priority: NOR
Component: EWS Resource
Assignee: kdepim-b...@kde.org
Reporter: fisc...@unix-ag.uni-kl.de
CC: c...@carlschwan.eu, kri...@op.pl
Target Milestone: ---
Checking my logs (journalctl) I found lines like this:
akonadi_ews_resource[3499]: org.kde.pim.ews.client: Failed to process EWS
request: Error transferring
https://USERNAME:PASSWORD@mail.DOMAIN/EWS/Exchange.asmx - server replied:
Internal Server Error
Here, "USERNAME", "PASSWORD", and "DOMAIN" are placeholders for the real, plain
values used in my setup.
The problem is not the error itself, but that the user's password got logged in
plain text.
Please review the EWS component that any logging of URLs and similar strips the
credentials from the URL. Probably QUrl's toDisplayString can be used as it is
supposed to strip away passwords.
The log messages were recorded last in March on a Fedora Linux system (probably
41), but not since then.
--
You are receiving this mail because:
You are watching all bug changes.
