On Tue, 25 Mar 2014 17:50:05 +0000 Mischa Diehm mischa.diehm@unibas.ch wrote:
I was playing around with ldap/AD integration and got this errorreport mailed to our NOC-Group (see below)
- this mail leaks my username/password in cleartext. I think this should
really be avoided for any case happening! I don't have a clue about django but a quick search showed me this:
https://docs.djangoproject.com/en/dev/howto/error-reporting/
Especially interesting might be this part:
[snip]
I wonder if than can be integrated for NAV or if there is another way to get around exposure like that?
Nice catch, I'm sure it can be fixed, and thanks for the report! I would kindly ask you to file it at [1], so we have a tracking number for it.
Having everything served through Django is a relatively recent development in NAV, since Django has been shoe-horned into our legacy code over several years. Before Django, no such reports were mailed when things crashed, which is likely why the issue of sensitive data leaks never was considered.
[1] https://bugs.launchpad.net/nav/+filebug