Package: debconf
Version: 1.4.72
Severity: normal
Tags: patch
debconf exposes the answers to password questions in its debug
information. This is rather annoying when writing installer-related
applications based on debconf, as it means that you can't safely ask for
debugging logs without having to get people to strip passwords out of
them first; today I had a normally extremely security-conscious
developer send me his password for his home systems by mistake. I
suspect that quite a lot of passwords are lying around in attachments to
bugs in various bug tracking systems, unnoticed by the senders.
The attached patch attempts to hide passwords even when the 'developer'
and/or 'db' debug modes are set. It's pretty ugly in places, though, so
I haven't just checked it in. What do you think?
Cheers,
--
Colin Watson [EMAIL PROTECTED]
Index: Debconf/DbDriver/Stack.pm
===================================================================
--- Debconf/DbDriver/Stack.pm (revision 2009)
+++ Debconf/DbDriver/Stack.pm (working copy)
@@ -165,7 +165,11 @@
shift; # this again
my $item=shift;
- debug "db $this->{name}" => "trying to $command($item @_) ..";
+ if ($command eq 'setfield' and $_[0] eq 'value' and
$this->ispassword($item)) {
+ debug "db $this->{name}" => "trying to $command($item $_[0]
<password hidden>) ..";
+ } else {
+ debug "db $this->{name}" => "trying to $command($item @_) ..";
+ }
# Check to see if we can just write to some driver in the stack.
foreach my $driver (@{$this->{stack}}) {
Index: Debconf/ConfModule.pm
===================================================================
--- Debconf/ConfModule.pm (revision 2009)
+++ Debconf/ConfModule.pm (working copy)
@@ -88,6 +88,7 @@
my %codes = (
success => 0,
escaped_data => 1,
+ password => 2, # used internally to hide password in debug messages
badparams => 10,
syntaxerror => 20,
input_invisible => 30,
@@ -225,7 +226,18 @@
sub process_command {
my $this=shift;
- debug developer => "<-- $_";
+ # Nasty hack to stop SET passwords showing up in debug messages.
+ if (/^set /i) {
+ my ($command, @params)=split(' ', $_);
+ my $question=Debconf::Question->get($params[0]);
+ if ($question and $question->template->type eq 'password') {
+ debug developer => "<-- $command $params[0] <password
hidden>";
+ } else {
+ debug developer => "<-- $_";
+ }
+ } else {
+ debug developer => "<-- $_";
+ }
return 1 unless defined && ! /^\s*#/; # Skip blank lines, comments.
chomp;
my ($command, @params);
@@ -246,13 +258,26 @@
}
# Now call the subroutine for the command.
$command="command_$command";
- my $ret=join(' ', $this->$command(@params));
- debug developer => "--> $ret";
+ my @ret=$this->$command(@params);
+ my $ret=join(' ', @ret);
+ if ($ret[0] eq $codes{password}) {
+ debug developer => "--> $codes{success} <password hidden>";
+ } else {
+ debug developer => "--> $ret";
+ }
if ($ret=~/\n/) {
debug developer => 'Warning: return value is multiline, and
would break the debconf protocol. Truncating to first line.';
$ret=~s/\n.*//s;
- debug developer => "--> $ret";
+ if ($ret[0] eq $codes{password}) {
+ debug developer => "--> $codes{success} <password
hidden>";
+ } else {
+ debug developer => "--> $ret";
+ }
}
+ if ($ret[0] eq $codes{password}) {
+ $ret[0]=$codes{success};
+ $ret=join(' ', @ret);
+ }
return $ret;
}
@@ -532,7 +557,11 @@
my $question=Debconf::Question->get($question_name) ||
return $codes{badparams}, "$question_name doesn't exist";
- if (defined $question->value) {
+ if ($question->template->type eq 'password') {
+ # make sure passwords don't end up in debug messages
+ return $codes{password}, defined($question->value) ?
$question->value : '';
+ }
+ elsif (defined $question->value) {
if (defined $this->client_capb and grep { $_ eq 'escape' }
@{$this->client_capb}) {
return $codes{escaped_data}, escape($question->value);
} else {
