Bug#741421: coquelicot: Debug-style Net::IMAP::NoResponseError output in browser on bad user
Attached is my attempt of a backport of your own upstream patch (it should apply cleanly against the current Debian collab-maint repo - I hope I did it right...). -- Rowan Thorpe mailto:ro...@rowanthorpe.com PGP fingerprint: BB0A 0787 C0EE BDD8 7F97 3D30 49F2 13A5 265D CCBD From 23ef9b813bd9358957fac5ac33a4b8cf5e7055a1 Mon Sep 17 00:00:00 2001 From: Rowan Thorpe ro...@rowanthorpe.com Date: Tue, 23 Dec 2014 17:36:43 +0200 Subject: [PATCH 1/1] Don't spill debug output (backport) --- debian/patches/0008-Dont-spill-debug-output.patch | 39 +++ debian/patches/series | 1 + 2 files changed, 40 insertions(+) create mode 100644 debian/patches/0008-Dont-spill-debug-output.patch diff --git a/debian/patches/0008-Dont-spill-debug-output.patch b/debian/patches/0008-Dont-spill-debug-output.patch new file mode 100644 index 000..7acbe36 --- /dev/null +++ b/debian/patches/0008-Dont-spill-debug-output.patch @@ -0,0 +1,39 @@ +From: Rowan Thorpe ro...@rowanthorpe.com +Subject: Stop spilling authentication errors to users + +Address Debian bug #741421 reported by Rowan Thorpe. + +Bug-Debian: http://bugs.debian.org/741421 +Origin: upstream, https://coquelicot.potager.org/gitweb/?p=coquelicot.git;a=commitdiff;h=22bdab9a +Author: Lunar lu...@anargeek.net Tue, 6 May 2014 14:09:56 + +--- + lib/coquelicot/app.rb | 9 - + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/lib/coquelicot/app.rb b/lib/coquelicot/app.rb +index 2c24613..776f49d 100644 +--- a/lib/coquelicot/app.rb b/lib/coquelicot/app.rb +@@ -278,7 +278,11 @@ module Coquelicot + + error 500..510 do + @error = env['sinatra.error'] || response.body.join +- haml :error ++ if request.xhr? ++#{response.body.join} ++ else ++haml :error ++ end + end + + get '/style.css' do +@@ -337,6 +341,9 @@ module Coquelicot + 'OK' + rescue Coquelicot::Auth::Error = ex + error 503, ex.message ++ rescue = ex ++dump_errors! ex ++error 500, Issue has been logged. + end + end + diff --git a/debian/patches/series b/debian/patches/series index 796699a..7a06d62 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -5,3 +5,4 @@ 0005-Adjust-paths-to-fit-Debian-packaging.patch 0006-Stop-using-non-free-background-image.patch 0007-Add-support-for-the-Psych-YAML-engine.patch +0008-Dont-spill-debug-output.patch -- 2.1.3
Bug#741421: coquelicot: Debug-style Net::IMAP::NoResponseError output in browser on bad user
Just adding that this bug seems not to be limited to the IMAP authentication, but is a general behaviour when receiving an exception from any of the authentication modules. I know this because I just implemented LDAP authentication, and any failed authentication from that spills the debug trace the same way (outputs source in the dialog framed rather than rendering it in the main frame). -- Rowan Thorpe mailto:ro...@rowanthorpe.com -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#741421: coquelicot: Debug-style Net::IMAP::NoResponseError output in browser on bad user
Rowan Thorpe: Just adding that this bug seems not to be limited to the IMAP authentication, but is a general behaviour when receiving an exception from any of the authentication modules. I know this because I just implemented LDAP authentication, and any failed authentication from that spills the debug trace the same way (outputs source in the dialog framed rather than rendering it in the main frame). Thanks for the report. I really hope I'll be able to dedicate some time to Coquelicot in the upcoming weeks. -- Lunar.''`. lu...@debian.org: :Ⓐ : # apt-get install anarchism `. `'` `- signature.asc Description: Digital signature
Bug#741421: coquelicot: Debug-style Net::IMAP::NoResponseError output in browser on bad user
Package: coquelicot Version: 0.9.2-2 Severity: minor Tags: upstream Dear Maintainer, This seems to be an upstream bug too. * What led up to the situation? Configured coquelicot to use the supplied IMAP authentication module, then while testing for use of IMAPS (not plaintext authentication) I tried a login with fictional user details. * What exactly did you do (or not do) that was effective (or ineffective)? Our mail server was configured to not reply for bad login attempt, so after a timeout coquelicot borked. * What was the outcome of this action? It spilled a very large amount of debug text (including entered username, etc) to the browser. * What outcome did you expect instead? The standard minimal can not authenticate text. = I hand-edited the system info below because I encountered the bug on a server I remotely administrate, but for security reasons I am not able to report it from within the server. -- System Information: Debian Release: wheezy (with apt-get -t jessie install coquelicot only) Architecture: amd64 (x86_64) -- Rowan Thorpe mailto:ro...@rowanthorpe.com -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org