Feature request: do not log the password in logfile or syslog

kappa-wingman · October 29, 2020, 7:26am

I am testing LDAP with RT 5.0. Because of some problem, the user is not able to be created.
By default, RT logs the username password in the log (either a log file or syslog). This is not desirable.

Related log:
HTML::Mason::Request::comp(undef, undef, “next”, “12345”, “pass”, “Your password!”, “user”, “testuser”) called at /opt/rt5/sbin/…/lib/RT/Interface/Web.pm line 321
RT::Interface::Web::HandleRequest(HASH(0x7f836b460d68)) called at /opt/rt5/share/html/autohandler line 53
HTML::Mason::Commands::ANON(“next”, “12345”, “user”, “testuser”, “pass”, “Your password!”) called at /usr/share/perl5/vendor_perl/HTML/Mason/Component.pm line 135

I would suggest it would not log password to the log file by default. Then have an option to enable the logging of the password.

Thanks.

knation · October 29, 2020, 12:18pm

What level is logging set to?

kappa-wingman · October 29, 2020, 12:30pm

It happens after I perform the installation. I did not change the logging level in RT_Config.pm. So it logs to syslog directly.
It also happens when I set to LogToFile with warning level.