Hi,
I was playing around with ldap/AD integration and got this errorreport mailed to our NOC-Group (see below)
- this mail leaks my username/password in cleartext. I think this should really be avoided for any case happening! I don't have a clue about django but a quick search showed me this:
https://docs.djangoproject.com/en/dev/howto/error-reporting/
Especially interesting might be this part:
... Filtering sensitive information https://docs.djangoproject.com/en/dev/howto/error-reporting/#filtering-sens itive-information Error reports are really helpful for debugging errors, so it is generally useful to record as much relevant information about those errors as possible. For example, by default Django records the full traceback http://en.wikipedia.org/wiki/Stack_trace for the exception raised, each traceback frame http://en.wikipedia.org/wiki/Stack_frame ¹s local variables, and the HttpRequest https://docs.djangoproject.com/en/dev/ref/request-response/#django.http.Htt pRequest ¹s attributes https://docs.djangoproject.com/en/dev/ref/request-response/#httprequest-att ributes .
However, sometimes certain types of information may be too sensitive and thus may not be appropriate to be kept track of, for example a user¹s password or credit card number. So Django offers a set of function decorators to help you control which information should be filtered out of error reports in a production environment (that is, where DEBUG https://docs.djangoproject.com/en/dev/ref/settings/#std:setting-DEBUG is set to False): sensitive_variables() https://docs.djangoproject.com/en/dev/howto/error-reporting/#django.views.d ecorators.debug.sensitive_variables and sensitive_post_parameters() https://docs.djangoproject.com/en/dev/howto/error-reporting/#django.views.d ecorators.debug.sensitive_post_parameters .
...
I wonder if than can be integrated for NAV or if there is another way to get around exposure like that?
Mischa
Original mail we became for django error: ----
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/django/core/handlers/base.py", line 111, in get_response response = callback(request, *callback_args, **callback_kwargs)
File "/usr/lib/pymodules/python2.7/nav/web/webfront/views.py", line 89, in login return do_login(request)
File "/usr/lib/pymodules/python2.7/nav/web/webfront/views.py", line 122, in do_login account = auth.authenticate(username, password)
File "/usr/lib/pymodules/python2.7/nav/web/auth.py", line 95, in authenticate auth = ldapauth.authenticate(username, password)
File "/usr/lib/pymodules/python2.7/nav/web/ldapauth.py", line 120, in authenticate lconn = open_ldap()
File "/usr/lib/pymodules/python2.7/nav/web/ldapauth.py", line 76, in open_ldap server = _config.get('ldap', 'server')
File "/usr/lib/python2.7/ConfigParser.py", line 618, in get raise NoOptionError(option, section)
NoOptionError: No option 'server' in section: 'ldap'
<WSGIRequest path:/index/login/, GET:<QueryDict: {}>, POST:<QueryDict: {u'origin': [u''], u'username': [u'diehm-adm'], u'password': [u'godDamnitDjango']}>, COOKIES:{'sessionid': 'd660941ae6b821799dbb47ed41d47009'}, META:{'CONTENT_LENGTH': '52', 'CONTENT_TYPE': 'application/x-www-form-urlencoded', 'DOCUMENT_ROOT': '/usr/share/nav/htdocs', 'GATEWAY_INTERFACE': 'CGI/1.1', 'HTTPS': '1', 'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'HTTP_ACCEPT_ENCODING': 'gzip, deflate', 'HTTP_ACCEPT_LANGUAGE': 'de,en-us;q=0.7,en;q=0.3', 'HTTP_CONNECTION': 'keep-alive', 'HTTP_COOKIE': 'sessionid=d660941ae6b821799dbb47ed41d47009', 'HTTP_DNT': '1', 'HTTP_HOST': 'urz-nav-pet.urz.unibas.ch', 'HTTP_REFERER': 'https://urz-nav-pet.urz.unibas.ch/index/login/', 'HTTP_USER_AGENT': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0', 'PATH_INFO': u'/index/login/', 'PATH_TRANSLATED': '/usr/share/pyshared/nav/wsgi.py/index/login/', 'QUERY_STRING': '', 'REMOTE_ADDR': '131.152.2.16', 'REMOTE_PORT': '59503', 'REQUEST_METHOD': 'POST', 'REQUEST_URI': '/index/login/', 'SCRIPT_FILENAME': '/usr/share/pyshared/nav/wsgi.py', 'SCRIPT_NAME': u'', 'SERVER_ADDR': '131.152.2.216', 'SERVER_ADMIN': 'webmaster@localhost', 'SERVER_NAME': 'urz-nav-pet.urz.unibas.ch', 'SERVER_PORT': '443', 'SERVER_PROTOCOL': 'HTTP/1.1', 'SERVER_SIGNATURE': '<address>Apache/2.2.22 (Debian) Server at urz-nav-pet.urz.unibas.ch Port 443</address>\n', 'SERVER_SOFTWARE': 'Apache/2.2.22 (Debian)', 'SSL_TLS_SNI': 'urz-nav-pet.urz.unibas.ch', 'mod_wsgi.application_group': 'urz-nav-pet.urz.unibas.ch|', 'mod_wsgi.callable_object': 'application', 'mod_wsgi.handler_script': '', 'mod_wsgi.input_chunked': '0', 'mod_wsgi.listener_host': '', 'mod_wsgi.listener_port': '443', 'mod_wsgi.process_group': 'NAV', 'mod_wsgi.request_handler': 'wsgi-script', 'mod_wsgi.script_reloading': '1', 'mod_wsgi.version': (3, 3), 'wsgi.errors': <mod_wsgi.Log object at 0x7fa322859430>, 'wsgi.file_wrapper': <built-in method file_wrapper of mod_wsgi.Adapter object at 0x7fa3228655d0>, 'wsgi.input': <mod_wsgi.Input object at 0x7fa3210d6eb0>, 'wsgi.multiprocess': True, 'wsgi.multithread': True, 'wsgi.run_once': False, 'wsgi.url_scheme': 'https', 'wsgi.version': (1, 1)}>