password displayed with new yahoo login code

Sulabh Mahajan sulabh.dev at gmail.com
Thu Apr 30 01:06:42 EDT 2009


Hello everyone,

When coding for the new yahoo login procedure, it was noticed that password
of the user is displayed in the debug logs. It happens because we access the
following url, which contains the password of the user.

https://login.yahoo.com/config/pwtoken_get?src=ymsgr&ts=&login=
<user-name>&passwd=*<password>*&chal=<seed>

purple_util_fetch_url_request() used to access the url, has the following
debug line which prints the password in the log,

    purple_debug_info("util",
             "requested to fetch (%s), full=%d, user_agent=(%s),
http11=%d\n",
             url, full, user_agent?user_agent:"(null)", http11);


What should be our course of action to prevent showing the password in the
debug log?

John Bailey (rekkanoryo) suggested to only print the url in the case of
#ifdef DEBUG, and hence show password only in case if compiled with
--enable-debug.

Any more ideas ?



Sulabh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/pipermail/devel/attachments/20090430/930b2cb7/attachment.html>


More information about the Devel mailing list