Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FPP crash reports contain cleartext OS and UI passwords #1425

Open
nkaminski opened this issue Nov 30, 2022 · 8 comments
Open

FPP crash reports contain cleartext OS and UI passwords #1425

nkaminski opened this issue Nov 30, 2022 · 8 comments
Assignees
@computergeek1507

Comments

@nkaminski
Copy link
Contributor

Hello FPP dev team,

While looking through the contents of a recently generated FPP crash report, I've noticed in FPP 6.2 that crash reports which include either settings only or settings and configuration contain the plaintext UI and OS passwords in the payload that is uploaded over the Internet.

Furthermore, I have a hard time rationalizing any material benefit from having the actual passwords present in the crash report when analyzing bugs.

Therefore, would it be possible to redact passwords in the uploaded settings/configuration (and/or @dkulp would you be open to a PR which implements this functionality)?
@dkulp
Copy link
Contributor

dkulp commented Nov 30, 2022

A PR would be fine. Just keep in mind that what generating a crash report, the state of the memory is kind of unknown as we don't know what caused the crash. Thus, using a bunch of libraries/methods/etc... that do complex things may not be doable without causing further crashes.

@nkaminski
Copy link
Contributor Author

nkaminski commented Nov 30, 2022
edited
Loading

I was thinking of refactoring the zip file creation process which is currently implemented as a set of system() calls into a shell script that is invoked via one system() call which filters out credentials using grep -v and then generates the zip as before.

Therefore, the maximal amount of recording and reporting is done out of process.

@dkulp
Copy link
Contributor

dkulp commented Nov 30, 2022

That would be perfect.

@darylc
Copy link
Contributor

darylc commented Jan 29, 2023

@nkaminski Just wanted to check in and see if you were still thinking about contributing a fix for this one?

@nkaminski
Copy link
Contributor Author

nkaminski commented Feb 3, 2023 via email

@darylc
Copy link
Contributor

darylc commented Jun 17, 2023

@nkaminski If you were still thinking of doing this just a heads up that FPP 7.0 release is coming up in the next weeks.

@darylc darylc added this to FPP 8.0 Jan 13, 2024
@ghormann ghormann moved this to Wishlist in FPP 8.0 Jan 13, 2024
@patdelaney patdelaney moved this from Wishlist to Todo in FPP 8.0 Jan 13, 2024
@computergeek1507 computergeek1507 self-assigned this Jun 20, 2024
@darylc
Copy link
Contributor

darylc commented Jul 27, 2024

@computergeek1507 Do you think you'll get this done for FPP 8 or shall we move it to FPP 9 and beyond?

@computergeek1507
Copy link
Member

Please push it out

@darylc darylc removed this from FPP 8.0 Jul 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@computergeek1507 computergeek1507

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dkulp @computergeek1507 @nkaminski @darylc