Bug#741421: coquelicot: Debug-style Net::IMAP::NoResponseError output in browser on bad user

2014-12-23 Thread Rowan Thorpe 
Attached is my attempt of a backport of your own upstream patch (it should
apply cleanly against the current Debian collab-maint repo - I hope I did it
right...).

-- 
Rowan Thorpe
mailto:ro...@rowanthorpe.com
PGP fingerprint:
 BB0A 0787 C0EE BDD8 7F97  3D30 49F2 13A5 265D CCBD
From 23ef9b813bd9358957fac5ac33a4b8cf5e7055a1 Mon Sep 17 00:00:00 2001
From: Rowan Thorpe ro...@rowanthorpe.com
Date: Tue, 23 Dec 2014 17:36:43 +0200
Subject: [PATCH 1/1] Don't spill debug output (backport)

---
 debian/patches/0008-Dont-spill-debug-output.patch | 39 +++
 debian/patches/series |  1 +
 2 files changed, 40 insertions(+)
 create mode 100644 debian/patches/0008-Dont-spill-debug-output.patch

diff --git a/debian/patches/0008-Dont-spill-debug-output.patch b/debian/patches/0008-Dont-spill-debug-output.patch
new file mode 100644
index 000..7acbe36
--- /dev/null
+++ b/debian/patches/0008-Dont-spill-debug-output.patch
@@ -0,0 +1,39 @@
+From: Rowan Thorpe ro...@rowanthorpe.com
+Subject: Stop spilling authentication errors to users
+
+Address Debian bug #741421 reported by Rowan Thorpe.
+
+Bug-Debian: http://bugs.debian.org/741421
+Origin: upstream, https://coquelicot.potager.org/gitweb/?p=coquelicot.git;a=commitdiff;h=22bdab9a
+Author: Lunar lu...@anargeek.net Tue, 6 May 2014 14:09:56 +
+---
+ lib/coquelicot/app.rb | 9 -
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/lib/coquelicot/app.rb b/lib/coquelicot/app.rb
+index 2c24613..776f49d 100644
+--- a/lib/coquelicot/app.rb
 b/lib/coquelicot/app.rb
+@@ -278,7 +278,11 @@ module Coquelicot
+ 
+ error 500..510 do
+   @error = env['sinatra.error'] || response.body.join
+-  haml :error
++  if request.xhr?
++#{response.body.join}
++  else
++haml :error
++  end
+ end
+ 
+ get '/style.css' do
+@@ -337,6 +341,9 @@ module Coquelicot
+ 'OK'
+   rescue Coquelicot::Auth::Error = ex
+ error 503, ex.message
++  rescue = ex
++dump_errors! ex
++error 500, Issue has been logged.
+   end
+ end
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 796699a..7a06d62 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@
 0005-Adjust-paths-to-fit-Debian-packaging.patch
 0006-Stop-using-non-free-background-image.patch
 0007-Add-support-for-the-Psych-YAML-engine.patch
+0008-Dont-spill-debug-output.patch
-- 
2.1.3

Bug#741421: coquelicot: Debug-style Net::IMAP::NoResponseError output in browser on bad user

2014-03-31 Thread Rowan Thorpe 
Just adding that this bug seems not to be limited to the IMAP authentication,
but is a general behaviour when receiving an exception from any of the
authentication modules. I know this because I just implemented LDAP
authentication, and any failed authentication from that spills the debug
trace the same way (outputs source in the dialog framed rather than rendering
it in the main frame).

-- 
Rowan Thorpe
mailto:ro...@rowanthorpe.com


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#741421: coquelicot: Debug-style Net::IMAP::NoResponseError output in browser on bad user

2014-03-31 Thread Jérémy Bobbio 
Rowan Thorpe:
 Just adding that this bug seems not to be limited to the IMAP authentication,
 but is a general behaviour when receiving an exception from any of the
 authentication modules. I know this because I just implemented LDAP
 authentication, and any failed authentication from that spills the debug
 trace the same way (outputs source in the dialog framed rather than rendering
 it in the main frame).

Thanks for the report. I really hope I'll be able to dedicate some time
to Coquelicot in the upcoming weeks.

-- 
Lunar.''`. 
lu...@debian.org: :Ⓐ  :  # apt-get install anarchism
`. `'` 
  `-   


signature.asc
Description: Digital signature

Bug#741421: coquelicot: Debug-style Net::IMAP::NoResponseError output in browser on bad user

2014-03-12 Thread Rowan Thorpe 
Package: coquelicot
Version: 0.9.2-2
Severity: minor
Tags: upstream

Dear Maintainer,

This seems to be an upstream bug too.

   * What led up to the situation?

Configured coquelicot to use the supplied IMAP authentication module, then
while testing for use of IMAPS (not plaintext authentication) I tried a
login with fictional user details.

   * What exactly did you do (or not do) that was effective (or
 ineffective)?

Our mail server was configured to not reply for bad login attempt, so after
a timeout coquelicot borked.

   * What was the outcome of this action?

It spilled a very large amount of debug text (including entered username,
etc) to the browser.

   * What outcome did you expect instead?

The standard minimal can not authenticate text.

= I hand-edited the system info below because I encountered the bug on a
   server I remotely administrate, but for security reasons I am not able to
   report it from within the server.

-- System Information:
Debian Release: wheezy (with apt-get -t jessie install coquelicot only)
Architecture: amd64 (x86_64)

-- 
Rowan Thorpe
mailto:ro...@rowanthorpe.com


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org