desktop-packages team mailing list archive

Thread
Date
[Bug 807745] Re: Should not include private PPA details in software-center.log

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <807745@xxxxxxxxxxxxxxxxxx>
Date: Thu, 20 Oct 2011 06:15:01 -0000
Reply-to: Bug 807745 <807745@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package software-center - 4.0.5

---------------
software-center (4.0.5) natty-proposed; urgency=low

  [ Aaron Peachey ]
  * softwarecenter/view/appdetailsview_gtk.py,
    softwarecenter/view/widgets/reviews.py:
    - fix duplication of reviews upon submitting a new
      review, completes the fix for LP: #794060

  [ Gary Lasker ]
  * softwarecenter/utils.py,
    softwarecenter/backend/aptd.py,
    test/test_software_channels.py:
    - obfuscate private ppa details in the error log output and in
      the error dialog itself, add corresponding unit test
      (LP: #807745)
  * merge lp:~evfool/software-center/nonetworkfixes, fixes two menu
    item network state bugs, many thanks to Robert Roth
    (LP: #802919, LP: #802920)
 -- Michael Vogt <michael.vogt@xxxxxxxxxx>   Wed, 13 Jul 2011 14:24:50 +0200

** Changed in: software-center (Ubuntu Natty)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to software-center in Ubuntu.
https://bugs.launchpad.net/bugs/807745

Title:
  Should not include private PPA details in software-center.log

Status in “software-center” package in Ubuntu:
  Fix Released
Status in “software-center” source package in Maverick:
  Fix Released
Status in “software-center” source package in Natty:
  Fix Released

Bug description:
  Currently, when a transaction failed error occurs, we log the error
  message from aptdaemon in software-center.log. If the transaction
  failure was associated with a private PPA, the username and password
  details will be included in the message from aptdaemon and so will be
  included in the log. Since this log can potentially be exposed in a bug
  report, we should obfuscate these details in both the log message and
  also in the corresponding dialog that is displayed for the error (since
  a screenshot of the dialog could potentially be attached to a bug as well).

  TEST CASE for Maverick and Natty SRUs:

  1. (For Maverick) Update to Software Center 3.0.10 in maverick-proposed.
     -or-
  1. (For Natty) Update to Software Center 4.0.5 in natty-proposed.
  2. Open Software Center, navigate to the "For Purchase" section and purchase an item (or simply reinstall a previously purchased item if you have one). Note that a larger package download will make verification easier it provides more time to interrupt the download in progress to induce the failure mode. Note that Steel Storm: Burning Retribution is a ~690MB download and is priced at $4.99, making it a good candidate for this test (but any purchased package will do).
  3. After the package download has begun and during the download itself, shut off your network connection.
  4. Wait for the transaction to time out (this takes a couple of minutes). The failure is indicated when the "Failed to download package files" error dialog appears.
  5. In the error dialog, expand the "Details" section and verify that the username and password portions of the given URL are rendered as "hidden:hidden" (e.g. "Failed to fetch https://hidden:hidden@xxxxxxxxxxxxxxxxxxxxxxxxx/commercial-ppa-uploaders/steel-storm2/ubuntu/pool/main/s/steelstorm-episode2/steelstorm-episode2-data_2.00.02818-0maverick1_all.deb";).
  6. View the file ~/.cache/software-center.log, navigate to the end and find the error message. Again verify that the username and password portions of the given URLs are rendered as "hidden:hidden".

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/software-center/+bug/807745/+subscriptions