Passwords written (not hidden or hashed) in log files

[bseclier]

Hi,
We are facing some troubles here. Looking into my logfile, I can see all my user's passwords, not hidden. Here is the kind of log (in the text file attached). I replaced the real password by PASSWORD HERE NOT HIDDEN and the true login by MY LOGIN.

It seems that when OC\User\Session->createSessionToken is logged, we can see the password.
Here is my log configuration (in WARN mode) :
'logfile' => '',
'log_type' => 'syslog',
'loglevel' => '2',
'syslog_tag' => 'nextcloud',

Thanks for taking care of it.
Cheers,
nextcloud.log

[nextcloud-bot]

GitMate.io thinks possibly related issues are #293 (Log still written as owncloud.log), #8104 (clear text password in log file when ldap not available), #2304 (Config error should not lead to user passwords in log), #2631 (Warning logged when logging in with an email address and password.), and #7217 (Decrypt a file when username and password known).

[bseclier]

Hi little bot,
Thank for the advice but no, this is not.
And this is not an enhancement, this is a severe bug !

[MorrisJobke]

@bseclier I guess you are talking about this entry:

An exception occurred while executing 'INSERT INTO `oc_authtoken`(`uid`,`login_name`,`password`,`name`,`token`,`type`,`remember`,`last_activity`) VALUES(?,?,?,?,?,?,?,?)' with params [******]:\n\nSQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '80f3eea1ff2b36763a38d028ccca401e8e4719a4f746a56ee4d45459ebfd9616' for key 'authtoken_token_index'

The with params [******] is where you replaced the variables, right?

@nickvergessen Any chance to hide it only for queries to oc_authtoken?

[MorrisJobke]

That is where it needs to be added: https://github.com/nextcloud/server/blob/master/lib/private/Log/ExceptionSerializer.php

[rullzer]

@MorrisJobke no it is not in that query as there the password is encrytped anyways already

it is in the stacktrace at

server/lib/private/User/Session.php

Line 620 in 8c47a63

public function createSessionToken(IRequest $request, $uid, $loginName, $password = null, $remember = IToken::DO_NOT_REMEMBER) {

[bseclier]

You're right @rullzer !

[nickvergessen]

time to raise priority on a little script which looks for parameter names and checks that the method name is in the block list, he?

Anyway, I guess adding createSessionToken to the list of "bad" methods should be good enough?

[MorrisJobke]

Fix is in #10193