-
-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User credentials stored in clear text in a stack trace and log #8511
Comments
I was able to reproduce this too, and I talked it over with @snipe and our current thinking is that if you only get it when you're in Debug mode, then it's probably OK. Can you confirm you were in Debug mode? Because if not - yes, you're absolutely right, this is definitely not something we want to do at all. |
Yes, I was in Debug mode. Should have stated this. Nevertheless I'm still thinking, this is a bad idea. Debug mode or not. |
Tested again. Doesn't matter if Debug mode or not. The credentials are always in laravel.log. |
Yeah, that is very not cool. I don't know how we can tell the library that we're consuming not to do that though. I'll try and figure something out. |
While writing an issue about an error while logging in using an LDAP user ( #8510 ), I noticed that I had username and password of the user in the stack-trace and the logfile. Not quite sure, if this is a good thing.
#2 /data/vhosts/snipeit/app/Http/Controllers/Auth/LoginController.php(146): App\\Services\\LdapAd->ldapLogin('<user>', '<password>')
Using:
The text was updated successfully, but these errors were encountered: