cms icon indicating copy to clipboard operation
cms copied to clipboard
verified publisher icon cms-dev

cmsAddAdmin shouldn't log the password if it was provided by the user

Open niuzhi opened this issue 5 years ago • 3 comments

1.file: cms/cmscontrib/AddAdmin.py function:add_admin Log information disclosure username and password

image

niuzhi avatar Aug 14 '20 08:08 niuzhi

Uhmmmmmm...... that's normal. It's where the cmsAddAdmin script reminds you of the login info for the admin account you just created. That does not constitute a leak.

NhatMinh0208 avatar Mar 06 '21 16:03 NhatMinh0208

I'm not sure about it but is it really normal to log plain text passwords?

In this special case I think it's ok since logger.info is being used as a normal stdout print statement. Also there must be a way to let the user know the randomly generated password.

@niuzhi Do you have a more secure way in mind to do this?

MaGaroo avatar Jul 17 '21 14:07 MaGaroo

I agree that we could at least log the password only when it gets randomly generated (i.e. the password is None case) and skip showing it when it's provided (i.e. when we call cmsAddAdmin ... -p thepassword)

wil93 avatar Nov 27 '22 01:11 wil93