[exim-dev] [Bug 165] Avoid showing LDAP passwords in log lin…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: admin
Datum:  
To: exim-dev
Betreff: [exim-dev] [Bug 165] Avoid showing LDAP passwords in log lines for LDAP errors
https://bugs.exim.org/show_bug.cgi?id=165

Wolfgang Breyha <wbreyha@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |wbreyha@???
   Target Milestone|Exim 4.77                   |Exim 4.88


--- Comment #2 from Wolfgang Breyha <wbreyha@???> ---
May I bring this up again?

Recently I faced the situation when exim spoiled the LDAP password to alpine
which uses "exim -bs" and we have a rewrite rule with ldap lookup hitting both
From: and env-from. alpine got two nice stderr messages with the LDAP password
intact because the LDAP lookup deferred.

Expansion of "....." ...
doesn't contain it as long as it is not directly given in the expansion (eg.
${readfile...}, but the

... failed while rewriting: lookup of "....."
contains the expanded part of the lookup with password.

Another possible leak I found is in route.c and deliver.c.

Both look into addr->message if it contains "failed to expand" or "expansion
of". If the string further contains "ldap:", "ldapm:" or "ldapdn:" a simple
message is returned. IMO both are missing "ldaps:".

--
You are receiving this mail because:
You are the QA Contact for the bug.