desktop-packages team mailing list archive

Thread
Date

[Bug 807745] Re: Should not include private PPA details in software-center.log

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Martin Pitt <martin.pitt@xxxxxxxxxx>
Date: Wed, 19 Oct 2011 14:12:23 -0000
Reply-to: Bug 807745 <807745@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Visibility changed to: Public

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to software-center in Ubuntu.
https://bugs.launchpad.net/bugs/807745

Title:
  Should not include private PPA details in software-center.log

Status in “software-center” package in Ubuntu:
  Fix Released
Status in “software-center” source package in Maverick:
  Fix Released
Status in “software-center” source package in Natty:
  Fix Committed

Bug description:
  Currently, when a transaction failed error occurs, we log the error
  message from aptdaemon in software-center.log. If the transaction
  failure was associated with a private PPA, the username and password
  details will be included in the message from aptdaemon and so will be
  included in the log. Since this log can potentially be exposed in a bug
  report, we should obfuscate these details in both the log message and
  also in the corresponding dialog that is displayed for the error (since
  a screenshot of the dialog could potentially be attached to a bug as well).

  TEST CASE for Maverick and Natty SRUs:

  1. (For Maverick) Update to Software Center 3.0.10 in maverick-proposed.
     -or-
  1. (For Natty) Update to Software Center 4.0.5 in natty-proposed.
  2. Open Software Center, navigate to the "For Purchase" section and purchase an item (or simply reinstall a previously purchased item if you have one). Note that a larger package download will make verification easier it provides more time to interrupt the download in progress to induce the failure mode. Note that Steel Storm: Burning Retribution is a ~690MB download and is priced at $4.99, making it a good candidate for this test (but any purchased package will do).
  3. After the package download has begun and during the download itself, shut off your network connection.
  4. Wait for the transaction to time out (this takes a couple of minutes). The failure is indicated when the "Failed to download package files" error dialog appears.
  5. In the error dialog, expand the "Details" section and verify that the username and password portions of the given URL are rendered as "hidden:hidden" (e.g. "Failed to fetch https://hidden:hidden@xxxxxxxxxxxxxxxxxxxxxxxxx/commercial-ppa-uploaders/steel-storm2/ubuntu/pool/main/s/steelstorm-episode2/steelstorm-episode2-data_2.00.02818-0maverick1_all.deb";).
  6. View the file ~/.cache/software-center.log, navigate to the end and find the error message. Again verify that the username and password portions of the given URLs are rendered as "hidden:hidden".

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/software-center/+bug/807745/+subscriptions