summaryrefslogtreecommitdiff
path: root/program
diff options
context:
space:
mode:
authorThomas Bruederli <thomas@roundcube.net>2014-02-03 15:34:55 +0100
committerThomas Bruederli <thomas@roundcube.net>2014-05-12 09:00:13 +0200
commit0d9ccfd8f76170adfeaa104668fce0e0b4f66a33 (patch)
tree59df04bd56b7cc3928e769cf7f4abe08bc9ccd6f /program
parentc94971bc6fe68c777cc066f51a7d88cc1149813f (diff)
Don't EVER log passwords
Diffstat (limited to 'program')
-rw-r--r--program/lib/Roundcube/rcube_imap_generic.php34
-rw-r--r--program/lib/Roundcube/rcube_ldap_generic.php4
-rw-r--r--program/lib/Roundcube/rcube_smtp.php11
3 files changed, 37 insertions, 12 deletions
diff --git a/program/lib/Roundcube/rcube_imap_generic.php b/program/lib/Roundcube/rcube_imap_generic.php
index f9a62f010..9035840a8 100644
--- a/program/lib/Roundcube/rcube_imap_generic.php
+++ b/program/lib/Roundcube/rcube_imap_generic.php
@@ -73,6 +73,7 @@ class rcube_imap_generic
const COMMAND_NORESPONSE = 1;
const COMMAND_CAPABILITY = 2;
const COMMAND_LASTLINE = 4;
+ const COMMAND_ANONYMIZED = 8;
const DEBUG_LINE_LENGTH = 4098; // 4KB + 2B for \r\n
@@ -88,16 +89,28 @@ class rcube_imap_generic
*
* @param string $string Command string
* @param bool $endln True if CRLF need to be added at the end of command
+ * @param bool $anonymized Don't write the given data to log but a placeholder
*
* @param int Number of bytes sent, False on error
*/
- function putLine($string, $endln=true)
+ function putLine($string, $endln=true, $anonymized=false)
{
if (!$this->fp)
return false;
if ($this->_debug) {
- $this->debug('C: '. rtrim($string));
+ // anonymize the sent command for logging
+ $cut = $endln ? 2 : 0;
+ if ($anonymized && preg_match('/^(A\d+ (?:[A-Z]+ )+)(.+)/', $string, $m)) {
+ $log = $m[1] . sprintf('****** [%d]', strlen($m[2]) - $cut);
+ }
+ else if ($anonymized) {
+ $log = sprintf('****** [%d]', strlen($string) - $cut);
+ }
+ else {
+ $log = rtrim($string);
+ }
+ $this->debug('C: ' . $log);
}
$res = fwrite($this->fp, $string . ($endln ? "\r\n" : ''));
@@ -116,10 +129,11 @@ class rcube_imap_generic
*
* @param string $string Command string
* @param bool $endln True if CRLF need to be added at the end of command
+ * @param bool $anonymized Don't write the given data to log but a placeholder
*
* @return int|bool Number of bytes sent, False on error
*/
- function putLineC($string, $endln=true)
+ function putLineC($string, $endln=true, $anonymized=false)
{
if (!$this->fp) {
return false;
@@ -138,7 +152,7 @@ class rcube_imap_generic
$parts[$i+1] = sprintf("{%d+}\r\n", $matches[1]);
}
- $bytes = $this->putLine($parts[$i].$parts[$i+1], false);
+ $bytes = $this->putLine($parts[$i].$parts[$i+1], false, $anonymized);
if ($bytes === false)
return false;
$res += $bytes;
@@ -153,7 +167,7 @@ class rcube_imap_generic
$i++;
}
else {
- $bytes = $this->putLine($parts[$i], false);
+ $bytes = $this->putLine($parts[$i], false, $anonymized);
if ($bytes === false)
return false;
$res += $bytes;
@@ -519,7 +533,7 @@ class rcube_imap_generic
$reply = base64_encode($user . ' ' . $hash);
// send result
- $this->putLine($reply);
+ $this->putLine($reply, true, true);
}
else {
// RFC2831: DIGEST-MD5
@@ -537,7 +551,7 @@ class rcube_imap_generic
base64_decode($challenge), $this->host, 'imap', $user));
// send result
- $this->putLine($reply);
+ $this->putLine($reply, true, true);
$line = trim($this->readReply());
if ($line[0] == '+') {
@@ -577,7 +591,7 @@ class rcube_imap_generic
// RFC 4959 (SASL-IR): save one round trip
if ($this->getCapability('SASL-IR')) {
list($result, $line) = $this->execute("AUTHENTICATE PLAIN", array($reply),
- self::COMMAND_LASTLINE | self::COMMAND_CAPABILITY);
+ self::COMMAND_LASTLINE | self::COMMAND_CAPABILITY | self::COMMAND_ANONYMIZED);
}
else {
$this->putLine($this->nextTag() . " AUTHENTICATE PLAIN");
@@ -588,7 +602,7 @@ class rcube_imap_generic
}
// send result, get reply and process it
- $this->putLine($reply);
+ $this->putLine($reply, true, true);
$line = $this->readReply();
$result = $this->parseResult($line);
}
@@ -3419,7 +3433,7 @@ class rcube_imap_generic
}
// Send command
- if (!$this->putLineC($query)) {
+ if (!$this->putLineC($query, true, ($options & self::COMMAND_ANONYMIZED))) {
$this->setError(self::ERROR_COMMAND, "Unable to send command: $query");
return $noresp ? self::ERROR_COMMAND : array(self::ERROR_COMMAND, '');
}
diff --git a/program/lib/Roundcube/rcube_ldap_generic.php b/program/lib/Roundcube/rcube_ldap_generic.php
index 923a12a41..b85afe4ce 100644
--- a/program/lib/Roundcube/rcube_ldap_generic.php
+++ b/program/lib/Roundcube/rcube_ldap_generic.php
@@ -240,7 +240,7 @@ class rcube_ldap_generic
$method = 'DIGEST-MD5';
}
- $this->_debug("C: SASL Bind [mech: $method, authc: $authc, authz: $authz, pass: $pass]");
+ $this->_debug("C: SASL Bind [mech: $method, authc: $authc, authz: $authz, pass: **** [" . strlen($pass) . "]");
if (ldap_sasl_bind($this->conn, NULL, $pass, $method, NULL, $authc, $authz)) {
$this->_debug("S: OK");
@@ -271,7 +271,7 @@ class rcube_ldap_generic
return false;
}
- $this->_debug("C: Bind $dn [pass: $pass]");
+ $this->_debug("C: Bind $dn, pass: **** [" . strlen($pass) . "]");
if (@ldap_bind($this->conn, $dn, $pass)) {
$this->_debug("S: OK");
diff --git a/program/lib/Roundcube/rcube_smtp.php b/program/lib/Roundcube/rcube_smtp.php
index 5f1200b38..70f15dc7b 100644
--- a/program/lib/Roundcube/rcube_smtp.php
+++ b/program/lib/Roundcube/rcube_smtp.php
@@ -29,6 +29,7 @@ class rcube_smtp
private $conn = null;
private $response;
private $error;
+ private $anonymize_log = 0;
// define headers delimiter
const SMTP_MIME_CRLF = "\r\n";
@@ -111,6 +112,7 @@ class rcube_smtp
if ($rcube->config->get('smtp_debug')) {
$this->conn->setDebug(true, array($this, 'debug_handler'));
+ $this->anonymize_log = 0;
}
// register authentication methods
@@ -330,6 +332,15 @@ class rcube_smtp
*/
public function debug_handler(&$smtp, $message)
{
+ // catch AUTH commands and set anonymization flag for subsequent sends
+ if (preg_match('/^Send: AUTH ([A-Z]+)/', $message, $m)) {
+ $this->anonymize_log = $m[1] == 'LOGIN' ? 2 : 1;
+ }
+ // anonymize this log entry
+ else if ($this->anonymize_log > 0 && strpos($message, 'Send:') === 0 && --$this->anonymize_log == 0) {
+ $message = sprintf('Send: ****** [%d]', strlen($message) - 8);
+ }
+
if (($len = strlen($message)) > self::DEBUG_LINE_LENGTH) {
$diff = $len - self::DEBUG_LINE_LENGTH;
$message = substr($message, 0, self::DEBUG_LINE_LENGTH)