Server: Passwords written (not hidden or hashed) in log files

GitMate.io thinks possibly related issues are https://github.com/nextcloud/server/issues/293 (Log still written as owncloud.log), https://github.com/nextcloud/server/issues/8104 (clear text password in log file when ldap not available), https://github.com/nextcloud/server/issues/2304 (Config error should not lead to user passwords in log), https://github.com/nextcloud/server/issues/2631 (Warning logged when logging in with an email address and password.), and https://github.com/nextcloud/server/issues/7217 (Decrypt a file when username and password known).

Hi little bot,
Thank for the advice but no, this is not.
And this is not an enhancement, this is a severe bug !

@bseclier I guess you are talking about this entry:

An exception occurred while executing 'INSERT INTO `oc_authtoken`(`uid`,`login_name`,`password`,`name`,`token`,`type`,`remember`,`last_activity`) VALUES(?,?,?,?,?,?,?,?)' with params [******]:\n\nSQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry '80f3eea1ff2b36763a38d028ccca401e8e4719a4f746a56ee4d45459ebfd9616' for key 'authtoken_token_index'

The with params [******] is where you replaced the variables, right?

@nickvergessen Any chance to hide it only for queries to oc_authtoken?

That is where it needs to be added: https://github.com/nextcloud/server/blob/master/lib/private/Log/ExceptionSerializer.php

@MorrisJobke no it is not in that query as there the password is encrytped anyways already

it is in the stacktrace at https://github.com/nextcloud/server/blob/8c47a632e0afc5b38093818f70dcf4cdead42b4d/lib/private/User/Session.php#L620

You're right @rullzer !

time to raise priority on a little script which looks for parameter names and checks that the method name is in the block list, he?

Anyway, I guess adding createSessionToken to the list of "bad" methods should be good enough?

Fix is in #10193