Logging DB password in http-error.log

We get this message in our apache http-error.log all the time.

49694 Apache::DBI need ping: 49694 Apache::DBI
new connect to
’dbname=rt3;host=localhost^\rt_user^\password^\AutoCommit=1^\PrintError=
1^\Username=rt_user’

Why are the password logged in plain text?

// Jens

We get this message in our apache http-error.log all the time.

49694 Apache::DBI need ping: 49694 Apache::DBI
new connect to
’dbname=rt3;host=localhost^\rt_user^\password^\AutoCommit=1^
\PrintError=
1^\Username=rt_user’

Why are the password logged in plain text?

Did you set LogLevel to ‘debug’ somewhere? And why do
untrustworthy people have access to your log files?

No, no debug loglevel.

And of course no, there are no untrustworthy people that have access to
our log files but passwords shouldn’t be stored in our log files.

// Jens

You can see this only when Apache::DBI::DEBUG variable set to 1 or
greater, by default it’s 0 and RT doesn’t change it. Grep for this var
in your code or in httpd confs.On 3/9/06, Jens Andersson jens.andersson@teleservice.net wrote:

We get this message in our apache http-error.log all the time.

49694 Apache::DBI need ping: 49694 Apache::DBI
new connect to
’dbname=rt3;host=localhost^\rt_user^\password^\AutoCommit=1^
\PrintError=
1^\Username=rt_user’

Why are the password logged in plain text?

Did you set LogLevel to ‘debug’ somewhere? And why do
untrustworthy people have access to your log files?

No, no debug loglevel.

And of course no, there are no untrustworthy people that have access to
our log files but passwords shouldn’t be stored in our log files.

// Jens


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com

We’re hiring! Come hack Perl for Best Practical: http://bestpractical.com/about/jobs.html

Best regards, Ruslan.

This sure sounds like an issue with Apache::DBI. What happens
if you try RT without Apache::DBI?

I tried without Apache::DBI and now it’s ok. Is there any bad things to
not run RT with Apache::DBI?

// Jens