Bugzilla – Bug 156485
Online-Update fails and returns root password as clear text
Last modified: 2006-11-01 09:52:03 UTC
Updated 10.0->10.1 B7, calling Online-Update from YaST control center doesn't work (maybe caused by #156455) and then it displays in the resulting "Timeout::Error in Root_login#login" page the root password as cleartext (which gets written ~/.mozilla/firefox/*/Cache etc.). It should never return the root password anywhere!
This is solved by starting server in production environment in last build of web-updater.
Sorry, no. It still happens with latest build as of today. I guess you didn't understand what this bug report is about. URL: http://127.0.0.1:3000/root_login/login =============================================== Timeout::Error in Root_login#login execution expired RAILS_ROOT: script/../config/.. Application Trace | Framework Trace | Full Trace /usr/lib/ruby/1.8/timeout.rb:54:in `rbuf_fill' /usr/lib/ruby/1.8/timeout.rb:56:in `timeout' /usr/lib/ruby/1.8/timeout.rb:76:in `timeout' /usr/lib/ruby/1.8/net/protocol.rb:132:in `rbuf_fill' /usr/lib/ruby/1.8/net/protocol.rb:116:in `readuntil' /usr/lib/ruby/1.8/net/protocol.rb:126:in `readline' /usr/lib/ruby/1.8/net/http.rb:1988:in `read_status_line' /usr/lib/ruby/1.8/net/http.rb:1977:in `read_new' /usr/lib/ruby/1.8/net/http.rb:1046:in `request' ./lib/zmd_proxy.rb:25:in `set_auth' ./lib/zmd_proxy.rb:23:in `set_auth' ./lib/zmd_proxy.rb:125:in `initialize' ./lib/zmd_proxy.rb:418 ./script/../config/../app/controllers/root_login_controller.rb:94:in `login' /usr/lib/ruby/1.8/timeout.rb:54:in `rbuf_fill' /usr/lib/ruby/1.8/timeout.rb:56:in `timeout' /usr/lib/ruby/1.8/timeout.rb:76:in `timeout' /usr/lib/ruby/1.8/net/protocol.rb:132:in `rbuf_fill' /usr/lib/ruby/1.8/net/protocol.rb:116:in `readuntil' /usr/lib/ruby/1.8/net/protocol.rb:126:in `readline' /usr/lib/ruby/1.8/net/http.rb:1988:in `read_status_line' /usr/lib/ruby/1.8/net/http.rb:1977:in `read_new' /usr/lib/ruby/1.8/net/http.rb:1046:in `request' /usr/lib/ruby/1.8/net/http.rb:545:in `start' /usr/lib/ruby/1.8/net/http.rb:440:in `start' /usr/lib/ruby/1.8/xmlrpc/client.rb:320:in `initialize' /usr/lib/ruby/1.8/xmlrpc/client.rb:357:in `new2' ./script/../config/../vendor/rails/activesupport/lib/active_support/dependencies.rb:214:in `require' ./script/../config/../vendor/rails/actionpack/lib/action_controller/base.rb:853:in `perform_action_without_filters' ./script/../config/../vendor/rails/actionpack/lib/action_controller/filters.rb:332:in `perform_action_without_benchmark' ./script/../config/../vendor/rails/actionpack/lib/action_controller/benchmarking.rb:69:in `perform_action_without_rescue' /usr/lib/ruby/1.8/benchmark.rb:293:in `measure' ./script/../config/../vendor/rails/actionpack/lib/action_controller/benchmarking.rb:69:in `perform_action_without_rescue' ./script/../config/../vendor/rails/actionpack/lib/action_controller/rescue.rb:82:in `perform_action' ./script/../config/../vendor/rails/actionpack/lib/action_controller/base.rb:369:in `process_without_session_management_support' ./script/../config/../vendor/rails/actionpack/lib/action_controller/session_management.rb:116:in `process' ./script/../config/../vendor/rails/railties/lib/dispatcher.rb:38:in `dispatch' ./script/../config/../vendor/rails/railties/lib/webrick_server.rb:117:in `handle_dispatch' ./script/../config/../vendor/rails/railties/lib/webrick_server.rb:83:in `service' /usr/lib/ruby/1.8/webrick/httpserver.rb:104:in `service' /usr/lib/ruby/1.8/webrick/httpserver.rb:65:in `run' /usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread' /usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread' /usr/lib/ruby/1.8/webrick/server.rb:95:in `start' /usr/lib/ruby/1.8/webrick/server.rb:92:in `start' /usr/lib/ruby/1.8/webrick/server.rb:23:in `start' /usr/lib/ruby/1.8/webrick/server.rb:82:in `start' ./script/../config/../vendor/rails/railties/lib/webrick_server.rb:69:in `dispatch' ./script/../config/../vendor/rails/railties/lib/commands/servers/webrick.rb:59 ./script/../config/../vendor/rails/activesupport/lib/active_support/dependencies.rb:214:in `require' ./script/../config/../vendor/rails/railties/lib/commands/server.rb:28 script/server:3 /usr/lib/ruby/1.8/timeout.rb:54:in `rbuf_fill' /usr/lib/ruby/1.8/timeout.rb:56:in `timeout' /usr/lib/ruby/1.8/timeout.rb:76:in `timeout' /usr/lib/ruby/1.8/net/protocol.rb:132:in `rbuf_fill' /usr/lib/ruby/1.8/net/protocol.rb:116:in `readuntil' /usr/lib/ruby/1.8/net/protocol.rb:126:in `readline' /usr/lib/ruby/1.8/net/http.rb:1988:in `read_status_line' /usr/lib/ruby/1.8/net/http.rb:1977:in `read_new' /usr/lib/ruby/1.8/net/http.rb:1046:in `request' ./lib/zmd_proxy.rb:25:in `set_auth' /usr/lib/ruby/1.8/net/http.rb:545:in `start' /usr/lib/ruby/1.8/net/http.rb:440:in `start' ./lib/zmd_proxy.rb:23:in `set_auth' /usr/lib/ruby/1.8/xmlrpc/client.rb:320:in `initialize' /usr/lib/ruby/1.8/xmlrpc/client.rb:357:in `new2' ./lib/zmd_proxy.rb:125:in `initialize' ./lib/zmd_proxy.rb:418 ./script/../config/../vendor/rails/activesupport/lib/active_support/dependencies.rb:214:in `require' ./script/../config/../app/controllers/root_login_controller.rb:94:in `login' ./script/../config/../vendor/rails/actionpack/lib/action_controller/base.rb:853:in `perform_action_without_filters' ./script/../config/../vendor/rails/actionpack/lib/action_controller/filters.rb:332:in `perform_action_without_benchmark' ./script/../config/../vendor/rails/actionpack/lib/action_controller/benchmarking.rb:69:in `perform_action_without_rescue' /usr/lib/ruby/1.8/benchmark.rb:293:in `measure' ./script/../config/../vendor/rails/actionpack/lib/action_controller/benchmarking.rb:69:in `perform_action_without_rescue' ./script/../config/../vendor/rails/actionpack/lib/action_controller/rescue.rb:82:in `perform_action' ./script/../config/../vendor/rails/actionpack/lib/action_controller/base.rb:369:in `process_without_session_management_support' ./script/../config/../vendor/rails/actionpack/lib/action_controller/session_management.rb:116:in `process' ./script/../config/../vendor/rails/railties/lib/dispatcher.rb:38:in `dispatch' ./script/../config/../vendor/rails/railties/lib/webrick_server.rb:117:in `handle_dispatch' ./script/../config/../vendor/rails/railties/lib/webrick_server.rb:83:in `service' /usr/lib/ruby/1.8/webrick/httpserver.rb:104:in `service' /usr/lib/ruby/1.8/webrick/httpserver.rb:65:in `run' /usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread' /usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread' /usr/lib/ruby/1.8/webrick/server.rb:95:in `start' /usr/lib/ruby/1.8/webrick/server.rb:92:in `start' /usr/lib/ruby/1.8/webrick/server.rb:23:in `start' /usr/lib/ruby/1.8/webrick/server.rb:82:in `start' ./script/../config/../vendor/rails/railties/lib/webrick_server.rb:69:in `dispatch' ./script/../config/../vendor/rails/railties/lib/commands/servers/webrick.rb:59 ./script/../config/../vendor/rails/activesupport/lib/active_support/dependencies.rb:214:in `require' ./script/../config/../vendor/rails/railties/lib/commands/server.rb:28 script/server:3 This error occured while loading the following files: lib/zmd_proxy Request Parameters: {"root_password"=>"<password in cleartext>", "root_pass_button.x"=>"6", "root_pass_button.y"=>"10"} Show session dump --- :secret: 1 :authorized: 1 flash: !map:ActionController::Flash::FlashHash {} target: patch Response Headers: {"cookie"=>[], "Cache-Control"=>"no-cache"}
I really think I understood the report correctly. When the webrick is started in production environmet, the root password is not shown on the page (actually no log similar to one you've pasted here should be shown in case of production). I'm not sure how old is your build as I didn't submit new package for beta8, because of the freeze of the project.
Name : web-updater Relocations: (not relocatable) Version : 0.0.10 Vendor: SUSE LINUX Products GmbH, Nuernberg, Germany Release : 3 Build Date: Sun 12 Mar 2006 09:44:55 PM CET * Mon Mar 06 2006 - jsuchome@suse.cz - do not run browser as root - allow only one browser to connect to server - use rails 1.0 (dmacvicar) - XHTML compatibility How about closing a bug report only once you submitted the fix?
Sorry? None of these changelog entires are related to this bug.
So what package contains the fix? Where can I get it? Can you answer the question of comment #5?
I don't know what did you mean by question in comment #5 (that's why I wrote "Sorry?"). I wrote in comment #4, "I didn't submit new package for beta8, because of the freeze of the project". Now I cannot submit new package (it is frozen in PDB) and even if I could, it would be useless as the project was postponed.
It means that you should not test it at all now :)
Stephan: now I understand what did you mean by your question. So, I closed the bug report after I submited the fix to subversion repository, not after I submited new package which I expected to do right before the beta deadline. (At which time I was told about the project status)
reopening web-updater related bugs
We have no web-updater, closing as irrelevant.