c2c-oerpscenario team mailing list archive

Thread
Date

Re: [Bug 612956] Re: Readable password in logs

To: c2c-oerpscenario@xxxxxxxxxxxxxxxxxxx
From: xrg <xrg@xxxxxxxxx>
Date: Fri, 19 Nov 2010 08:07:02 -0000
Reply-to: Bug 612956 <612956@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

On Thursday 18 November 2010, you wrote:
> ** Visibility changed to: Public
> 
> ** This bug is no longer flagged as a security vulnerability
> 

Well, in order to have the passwords stored in logs, you would have to lower 
the debugging level to debug_rpc or so. In that mode, you are no longer at a 
"production" setup, so we can tolerate the fact that the password gets in the 
logs.
I wouldn't call it a 100% (-of the time) vulnerability.

-- 
Readable password in logs
https://bugs.launchpad.net/bugs/612956
You received this bug notification because you are a member of C2C
OERPScenario, which is subscribed to the OpenERP Project Group.

Status in OpenObject Addons Modules: Invalid

Bug description:
opener-server.log (5.12 and 6.0) the database password appears clearly in one line.

[2010-08-03 20:07:33,143] DEBUG:db.connection_pool:ConnectionPool(used=0/count=0/max=64) Borrow connection to 'user=openerp password=password dbname=template1'

Other lines are correct with a masked password:

[2010-08-03 20:07:33,146] DEBUG:db.connection_pool:ConnectionPool(used=1/count=1/max=64) Create new connection
[2010-08-03 20:07:33,234] DEBUG:db.connection_pool:ConnectionPool(used=1/count=1/max=64) Give back connection to 'user=openerp password=xxxxxxxxxx dbname=template1'
[2010-08-03 20:07:33,235] DEBUG:db.connection_pool:ConnectionPool(used=0/count=0/max=64) Forgot connection to 'user=openerp password=xxxxxxxxxx dbname=template1'

References

[Bug 612956] Re: Readable password in logs
From: vra (openerp), 2010-11-18