2621: "Internal Server Error" email contains plain text password

eelco.*******@logicb******* (Google Code) (Is this you? Claim this profile.)
Feb. 3, 2014 
What version are you running?

Review Board 1.6.6


What's the URL of the page containing the problem?

Email sent after a 500 error on /account/login/


What steps will reproduce the problem?
1. User attempts to log in using a long (> 30 characters) LDAP username.
2. This triggers an internal server error (500), causing an email message to be sent to the admin.


What is the expected output? What do you see instead?

The email message sent to the server admin (attached with password scrubbed) contains a backtrace and a WSGIRequest that contains the line:

POST:<QueryDict: {u'username': [u'very-long-username@logicblox.com'], u'next_page': [u'/r/'], u'password': [u'ACTUAL_PASSWORD']}>,

where 'ACTUAL_PASSWORD' is, well, the actual password of the user who attempted to log in.  

Expected result is not to have passwords sent in plain text via email.

(Review Board should probably also accept user names longer than 30 characters, but that's a separate issue.)


What operating system are you using? What browser?

NixOS (Linux), Firefox 12.0.


Please provide any additional information below.
500-email.txt 
Subject:
[Review Board] ERROR (EXTERNAL IP): Internal Server Error: /account/login/
From:
root@localhost.localdomain
Date:
01/06/12 12:45
To:
eelco.dolstra@logicblox.com
Traceback (most recent call last):
  File "/nix/store/i3j3zck6fyab7sad8pwdmw363kij4321-python-Django-1.3.1/lib/python2.7/site-packages/Django-1.3.1-py2.7.egg/django/core/handlers/base.py", line 117, in get_response
    response = middleware_method(request, e)
  File "/nix/store/gi0798i8zlx1cgvkjiqhva2gd83an3c0-python-Djblets-0.6.16/lib/python2.7/site-packages/Djblets-0.6.16-py2.7.egg/djblets/log/middleware.py", line 242, in process_exception
    request.user, request.build_absolute_uri(),
  File "/nix/store/i3j3zck6fyab7sad8pwdmw363kij4321-python-Django-1.3.1/lib/python2.7/site-packages/Django-1.3.1-py2.7.egg/django/contrib/auth/middleware.py", line 9, in __get__
    request._cached_user = get_user(request)
  File "/nix/store/i3j3zck6fyab7sad8pwdmw363kij4321-python-Django-1.3.1/lib/python2.7/site-packages/Django-1

 






  


 










 

  

   chipx86

  

 
 

  

    
     

   
   #1
   chipx86


  


  
Hmm, not sure we have any say in how Django represents those error pages. Something to look into.



  
    


   
  • 
    
    
    +Confirmed
    
   
    • 



   
  • 
    
    
    +Milestone-Release1.6.x
    +BetterErrors
    
   
    • 


  


 








 

  

   david

  

 
 

  

    
     

   
   #2
   david


  



  
    


   
  • 
    
    
    +Component-Admin
    
   
    • 


  


 








 

  

   david

  

 
 

  

    
     

   
   #3
   david


  



  
    


   
  • 
    
    
    -Milestone-Release1.6.x
    
   
    • 


  


 








 

  

   david

  

 
 

  

    
     

   
   #4
   david


  


  
I think the original error in django has been fixed, and if there are other errors that could trigger this same problem, there's nothing that we can do about it from reviewboard code.



  
    


   
  • 
    
    
    -Confirmed
    +ThirdParty
    
   
    •