[Bug 1101938] New: kgapi logs full oauth traffic to the journal
http://bugzilla.opensuse.org/show_bug.cgi?id=1101938 Bug ID: 1101938 Summary: kgapi logs full oauth traffic to the journal Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.0 Hardware: Other OS: Other Status: NEW Severity: Major Priority: P5 - None Component: KDE Applications Assignee: opensuse-kde-bugs@opensuse.org Reporter: fvogt@suse.com QA Contact: qa-bugs@suse.de CC: lbeltrame@kde.org Found By: --- Blocker: --- Excerpt from a journal: Jul 19 17:55:59 rofl akonadi_imap_resource[2579]: attempting client step after doneflag Jul 19 17:55:59 rofl akonadi_imap_resource[2579]: org.kde.pim.kimap: sasl_client_step failed with: -1 "SASL(0): successful result: " Jul 19 17:55:59 rofl akonadi_imap_resource[2579]: org.kde.kgapi.raw: Requesting token refresh: "client_id=554041944266.apps.googleusercontent.com&client_secret=XXX&refresh_token=XXX&grant_type=refresh_token" Jul 19 17:55:59 rofl akonadi_imap_resource[2579]: org.kde.kgapi: Queued QUrl("https://accounts.google.com/o/oauth2/token") Jul 19 17:55:59 rofl akonadi_imap_resource[2579]: org.kde.kgapi: KGAPI2::AuthJob(0x55bcb01239f0) Dispatching request to QUrl("https://accounts.google.com/o/oauth2/token") Jul 19 17:55:59 rofl akonadi_imap_resource[2579]: org.kde.kgapi.raw: "client_id=554041944266.apps.googleusercontent.com&client_secret=XXX&refresh_token=XXX&grant_type=refresh_token" Jul 19 17:56:00 rofl akonadi_imap_resource[2579]: org.kde.kgapi: Received reply from QUrl("https://accounts.google.com/o/oauth2/token") Jul 19 17:56:00 rofl akonadi_imap_resource[2579]: org.kde.kgapi: Status code: 200 Jul 19 17:56:00 rofl akonadi_imap_resource[2579]: org.kde.kgapi.raw: "{\n \"access_token\" : \"XXX\",\n \"expires_in\" : 3600,\n \"id_token\" : \"XXX\",\n \"scope\" : \"https://www.googleapis.com/auth/plus.me https://mail.google.com/ https://www.googleapis.com/auth/userinfo.email\",\n \"token_type\" : \"Bearer\"\n}" Jul 19 17:56:00 rofl akonadi_imap_resource[2579]: org.kde.kgapi: Jul 19 17:56:00 rofl akonadi_imap_resource[2579]: qt.network.ssl: QSslSocket::startClientEncryption: cannot start handshake on non-plain connection Jul 19 17:56:00 rofl akonadi_imap_resource[2578]: attempting client step after doneflag Jul 19 17:56:00 rofl akonadi_imap_resource[2578]: org.kde.pim.kimap: sasl_client_step failed with: -1 "SASL(0): successful result: " Jul 19 17:56:00 rofl akonadi_imap_resource[2578]: org.kde.kgapi.raw: Requesting token refresh: "XXX" Jul 19 17:56:00 rofl akonadi_imap_resource[2578]: org.kde.kgapi: Queued QUrl("https://accounts.google.com/o/oauth2/token") Jul 19 17:56:00 rofl akonadi_imap_resource[2578]: org.kde.kgapi: KGAPI2::AuthJob(0x55e1bb093950) Dispatching request to QUrl("https://accounts.google.com/o/oauth2/token") Jul 19 17:56:00 rofl akonadi_imap_resource[2578]: org.kde.kgapi.raw: "XXX" Jul 19 17:56:00 rofl akonadi_imap_resource[2578]: org.kde.kgapi: Received reply from QUrl("https://accounts.google.com/o/oauth2/token") Jul 19 17:56:00 rofl akonadi_imap_resource[2578]: org.kde.kgapi: Status code: 200 Jul 19 17:56:00 rofl akonadi_imap_resource[2578]: org.kde.kgapi.raw: "{\n \"access_token\" : \"XXX"... Jul 19 17:56:00 rofl akonadi_imap_resource[2578]: org.kde.kgapi: Jul 19 17:56:00 rofl akonadi_imap_resource[2578]: qt.network.ssl: QSslSocket::startClientEncryption: cannot start handshake on non-plain connection -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1101938
Patrick Schaaf
http://bugzilla.opensuse.org/show_bug.cgi?id=1101938
http://bugzilla.opensuse.org/show_bug.cgi?id=1101938#c3
Andreas Stieger
http://bugzilla.opensuse.org/show_bug.cgi?id=1101938
http://bugzilla.opensuse.org/show_bug.cgi?id=1101938#c5
--- Comment #5 from Luca Beltrame
Luca, I am not sure if commenting out the code like this will be accepted upstream. Would it not be better to disable whatever debugging is used
According to upstream, the output is disabled by default (and there were no changes in output handling since 2015), so it should not end up anywhere by default. Why does this end up in the journal in this case is another matter entirely. I chose a quick fix to ensure this at least won't leak tokens and other sensitive information, but I agree this is not an optimal solution. The root cause is probably logging being broken somewhere. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1101938
http://bugzilla.opensuse.org/show_bug.cgi?id=1101938#c6
Luca Beltrame
http://bugzilla.opensuse.org/show_bug.cgi?id=1101938
http://bugzilla.opensuse.org/show_bug.cgi?id=1101938#c7
--- Comment #7 from Luca Beltrame
http://bugzilla.opensuse.org/show_bug.cgi?id=1101938
http://bugzilla.opensuse.org/show_bug.cgi?id=1101938#c8
--- Comment #8 from Luca Beltrame
http://bugzilla.opensuse.org/show_bug.cgi?id=1101938
http://bugzilla.opensuse.org/show_bug.cgi?id=1101938#c9
--- Comment #9 from Patrick Schaaf
http://bugzilla.opensuse.org/show_bug.cgi?id=1101938
http://bugzilla.opensuse.org/show_bug.cgi?id=1101938#c10
Luca Beltrame
participants (1)
-
bugzilla_noreply@novell.com