Bug 156485

Summary:	Online-Update fails and returns root password as clear text
Product:	[openSUSE] SUSE Linux 10.1	Reporter:	Stephan Binner <stbinner>
Component:	YaST2	Assignee:	Jiří Suchomel <jsuchome>
Status:	RESOLVED WONTFIX	QA Contact:	Klaus Kämpf <kkaempf>
Severity:	Major
Priority:	P5 - None	CC:	locilka, meissner, security-team
Version:	Beta 7
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:
Found By:	Development	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Stephan Binner 2006-03-09 14:53:34 UTC

Updated 10.0->10.1 B7, calling Online-Update from YaST control center doesn't work (maybe caused by #156455) and then it displays in the resulting "Timeout::Error in Root_login#login" page the root password as cleartext (which gets written ~/.mozilla/firefox/*/Cache etc.). It should never return the root password anywhere!

Comment 2 Jiří Suchomel 2006-03-10 10:09:37 UTC

This is solved by starting server in production environment in last build of web-updater.

Comment 3 Stephan Binner 2006-03-14 09:18:25 UTC

Sorry, no. It still happens with latest build as of today. I guess you didn't understand what this bug report is about.

URL: http://127.0.0.1:3000/root_login/login
===============================================
 Timeout::Error in Root_login#login

execution expired

RAILS_ROOT: script/../config/..
Application Trace | Framework Trace | Full Trace

/usr/lib/ruby/1.8/timeout.rb:54:in `rbuf_fill'
/usr/lib/ruby/1.8/timeout.rb:56:in `timeout'
/usr/lib/ruby/1.8/timeout.rb:76:in `timeout'
/usr/lib/ruby/1.8/net/protocol.rb:132:in `rbuf_fill'
/usr/lib/ruby/1.8/net/protocol.rb:116:in `readuntil'
/usr/lib/ruby/1.8/net/protocol.rb:126:in `readline'
/usr/lib/ruby/1.8/net/http.rb:1988:in `read_status_line'
/usr/lib/ruby/1.8/net/http.rb:1977:in `read_new'
/usr/lib/ruby/1.8/net/http.rb:1046:in `request'
./lib/zmd_proxy.rb:25:in `set_auth'
./lib/zmd_proxy.rb:23:in `set_auth'
./lib/zmd_proxy.rb:125:in `initialize'
./lib/zmd_proxy.rb:418
./script/../config/../app/controllers/root_login_controller.rb:94:in `login'

/usr/lib/ruby/1.8/timeout.rb:54:in `rbuf_fill'
/usr/lib/ruby/1.8/timeout.rb:56:in `timeout'
/usr/lib/ruby/1.8/timeout.rb:76:in `timeout'
/usr/lib/ruby/1.8/net/protocol.rb:132:in `rbuf_fill'
/usr/lib/ruby/1.8/net/protocol.rb:116:in `readuntil'
/usr/lib/ruby/1.8/net/protocol.rb:126:in `readline'
/usr/lib/ruby/1.8/net/http.rb:1988:in `read_status_line'
/usr/lib/ruby/1.8/net/http.rb:1977:in `read_new'
/usr/lib/ruby/1.8/net/http.rb:1046:in `request'
/usr/lib/ruby/1.8/net/http.rb:545:in `start'
/usr/lib/ruby/1.8/net/http.rb:440:in `start'
/usr/lib/ruby/1.8/xmlrpc/client.rb:320:in `initialize'
/usr/lib/ruby/1.8/xmlrpc/client.rb:357:in `new2'
./script/../config/../vendor/rails/activesupport/lib/active_support/dependencies.rb:214:in `require'
./script/../config/../vendor/rails/actionpack/lib/action_controller/base.rb:853:in `perform_action_without_filters'
./script/../config/../vendor/rails/actionpack/lib/action_controller/filters.rb:332:in `perform_action_without_benchmark'
./script/../config/../vendor/rails/actionpack/lib/action_controller/benchmarking.rb:69:in `perform_action_without_rescue'
/usr/lib/ruby/1.8/benchmark.rb:293:in `measure'
./script/../config/../vendor/rails/actionpack/lib/action_controller/benchmarking.rb:69:in `perform_action_without_rescue'
./script/../config/../vendor/rails/actionpack/lib/action_controller/rescue.rb:82:in `perform_action'
./script/../config/../vendor/rails/actionpack/lib/action_controller/base.rb:369:in `process_without_session_management_support'
./script/../config/../vendor/rails/actionpack/lib/action_controller/session_management.rb:116:in `process'
./script/../config/../vendor/rails/railties/lib/dispatcher.rb:38:in `dispatch'
./script/../config/../vendor/rails/railties/lib/webrick_server.rb:117:in `handle_dispatch'
./script/../config/../vendor/rails/railties/lib/webrick_server.rb:83:in `service'
/usr/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
/usr/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
/usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:23:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:82:in `start'
./script/../config/../vendor/rails/railties/lib/webrick_server.rb:69:in `dispatch'
./script/../config/../vendor/rails/railties/lib/commands/servers/webrick.rb:59
./script/../config/../vendor/rails/activesupport/lib/active_support/dependencies.rb:214:in `require'
./script/../config/../vendor/rails/railties/lib/commands/server.rb:28
script/server:3

/usr/lib/ruby/1.8/timeout.rb:54:in `rbuf_fill'
/usr/lib/ruby/1.8/timeout.rb:56:in `timeout'
/usr/lib/ruby/1.8/timeout.rb:76:in `timeout'
/usr/lib/ruby/1.8/net/protocol.rb:132:in `rbuf_fill'
/usr/lib/ruby/1.8/net/protocol.rb:116:in `readuntil'
/usr/lib/ruby/1.8/net/protocol.rb:126:in `readline'
/usr/lib/ruby/1.8/net/http.rb:1988:in `read_status_line'
/usr/lib/ruby/1.8/net/http.rb:1977:in `read_new'
/usr/lib/ruby/1.8/net/http.rb:1046:in `request'
./lib/zmd_proxy.rb:25:in `set_auth'
/usr/lib/ruby/1.8/net/http.rb:545:in `start'
/usr/lib/ruby/1.8/net/http.rb:440:in `start'
./lib/zmd_proxy.rb:23:in `set_auth'
/usr/lib/ruby/1.8/xmlrpc/client.rb:320:in `initialize'
/usr/lib/ruby/1.8/xmlrpc/client.rb:357:in `new2'
./lib/zmd_proxy.rb:125:in `initialize'
./lib/zmd_proxy.rb:418
./script/../config/../vendor/rails/activesupport/lib/active_support/dependencies.rb:214:in `require'
./script/../config/../app/controllers/root_login_controller.rb:94:in `login'
./script/../config/../vendor/rails/actionpack/lib/action_controller/base.rb:853:in `perform_action_without_filters'
./script/../config/../vendor/rails/actionpack/lib/action_controller/filters.rb:332:in `perform_action_without_benchmark'
./script/../config/../vendor/rails/actionpack/lib/action_controller/benchmarking.rb:69:in `perform_action_without_rescue'
/usr/lib/ruby/1.8/benchmark.rb:293:in `measure'
./script/../config/../vendor/rails/actionpack/lib/action_controller/benchmarking.rb:69:in `perform_action_without_rescue'
./script/../config/../vendor/rails/actionpack/lib/action_controller/rescue.rb:82:in `perform_action'
./script/../config/../vendor/rails/actionpack/lib/action_controller/base.rb:369:in `process_without_session_management_support'
./script/../config/../vendor/rails/actionpack/lib/action_controller/session_management.rb:116:in `process'
./script/../config/../vendor/rails/railties/lib/dispatcher.rb:38:in `dispatch'
./script/../config/../vendor/rails/railties/lib/webrick_server.rb:117:in `handle_dispatch'
./script/../config/../vendor/rails/railties/lib/webrick_server.rb:83:in `service'
/usr/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'
/usr/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'
/usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'
/usr/lib/ruby/1.8/webrick/server.rb:95:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:92:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:23:in `start'
/usr/lib/ruby/1.8/webrick/server.rb:82:in `start'
./script/../config/../vendor/rails/railties/lib/webrick_server.rb:69:in `dispatch'
./script/../config/../vendor/rails/railties/lib/commands/servers/webrick.rb:59
./script/../config/../vendor/rails/activesupport/lib/active_support/dependencies.rb:214:in `require'
./script/../config/../vendor/rails/railties/lib/commands/server.rb:28
script/server:3

This error occured while loading the following files:
   lib/zmd_proxy

Request

Parameters: {"root_password"=>"<password in cleartext>", "root_pass_button.x"=>"6", "root_pass_button.y"=>"10"}

Show session dump

--- 
:secret: 1
:authorized: 1
flash: !map:ActionController::Flash::FlashHash {}

target: patch

Response
Headers: {"cookie"=>[], "Cache-Control"=>"no-cache"}

Comment 4 Jiří Suchomel 2006-03-14 09:26:02 UTC

I really think I understood the report correctly. When the webrick is started in production environmet, the root password is not shown on the page (actually no log similar to one you've pasted here should be shown in case of production).

I'm not sure how old is your build as I didn't submit new package for beta8, because of the freeze of the project.

Comment 5 Stephan Binner 2006-03-14 09:30:44 UTC

Name        : web-updater                  Relocations: (not relocatable)
Version     : 0.0.10                            Vendor: SUSE LINUX Products GmbH, Nuernberg, Germany
Release     : 3                             Build Date: Sun 12 Mar 2006 09:44:55 PM CET

* Mon Mar 06 2006 - jsuchome@suse.cz
- do not run browser as root
- allow only one browser to connect to server
- use rails 1.0 (dmacvicar)
- XHTML compatibility


How about closing a bug report only once you submitted the fix?

Comment 6 Jiří Suchomel 2006-03-14 09:36:54 UTC

Sorry?
None of these changelog entires are related to this bug.

Comment 7 Stephan Binner 2006-03-14 09:55:53 UTC

So what package contains the fix? Where can I get it? Can you answer the question of comment #5?

Comment 8 Jiří Suchomel 2006-03-14 10:05:34 UTC

I don't know what did you mean by question in comment #5 (that's why I wrote "Sorry?").

I wrote in comment #4, "I didn't submit new package for beta8, because of the freeze of the project". Now I cannot submit new package (it is frozen in PDB) and even if I could, it would be useless as the project was postponed.

Comment 9 Lukas Ocilka 2006-03-14 10:06:48 UTC

It means that you should not test it at all now :)

Comment 10 Jiří Suchomel 2006-03-14 10:10:11 UTC

Stephan: now I understand what did you mean by your question. So, I closed the bug report after I submited the fix to subversion repository, not after I submited new package which I expected to do right before the beta deadline. (At which time I was told about the project status)

Comment 11 Jiří Suchomel 2006-11-01 09:51:14 UTC

reopening web-updater related bugs

Comment 12 Jiří Suchomel 2006-11-01 09:52:03 UTC

We have no web-updater, closing as irrelevant.