[FR]
Bonjour à tous,
Lors d’une erreur d’installation j’ai voulu partager mes logs sur Github grâce au bouton très pratique “Share with YunoPaste”.
J’ai été surpris de constater que des information sensibles comme mon domaine, nom d’utilisateur et mot de passe en clair étaient présentes dans les informations générées.
N’est-ce pas un peu dangereux ? Est-ce voulu/normal ?
J’ai failli ne pas prêter attention, ce serait peut-être utile d’afficher un avertissement, je sais pas ce que vous en pensez.
[EN]
Good morning, everyone,
During an installation error I wanted to share my logs on Github thanks to the very practical “Share with YunoPaste” button.
I was surprised to find that sensitive information such as my domain, username and password were present in the generated information.
Isn’t that a little dangerous? Is it intentional/normal?
I almost didn’t pay attention, it might be useful to post a warning, I don’t know what you think about it.
You have to take out the important information from logs before posting. Logs are meant to have debugging information, so they define steps and commands outputs in case of yunohost for debugging. I am sure these important details can be hidden if implemented in the core of yunohost but there are things which needs more priority then this, right now. It will take only few minutes to replace these details from a text editor by replace command, but implementing these would take much more time and efforts, which could be used right now to build other important features of yunohost right now. Moreover each app will need to hide different important details which would require implement these on app level too, thus increasing more efforts. But as its a valid security issue, you might open a request on https://dev.yunohost.org/.
[EN]
Hello @kanhu,
When you click on the “share with yunopaste” button it is not possible to my knowledge to hide sensitive information. It would be enough to have a checkbox to include them in the logs, otherwise they would have to be excluded by default in my opinion.
I’ll open a request for the devs, thank you for your answer ^_<
[FR]
Salut @kanhu ,
Quand on clique sur le bouton “share with yunopaste” il n’est pas possible a ma connaissance de cacher les informations sensibles. Il suffirait d’avoir une case a cocher si l’on veut les inclure dans les logs, sinon elles devraient être exclues par défaut a mon sens.
Je vais ouvrir une requête pour les devs, merci pour ta réponse ^_<
