[security] don't put uncrypted password in query parameters, else it may be logged on error oldstable
authorSylvain Thénault <sylvain.thenault@logilab.fr>
Tue, 27 Jul 2010 12:36:03 +0200
brancholdstable
changeset 6018 f4d1d5d9ccbb
parent 5993 50e1a6ad3e98
child 6019 373a313ee9ec
child 6665 90f2f20367bc
[security] don't put uncrypted password in query parameters, else it may be logged on error
server/sources/native.py
--- a/server/sources/native.py	Mon Jul 19 15:36:16 2010 +0200
+++ b/server/sources/native.py	Tue Jul 27 12:36:03 2010 +0200
@@ -1397,7 +1397,7 @@
         two queries are needed since passwords are stored crypted, so we have
         to fetch the salt first
         """
-        args = {'login': login, 'pwd' : password}
+        args = {'login': login, 'pwd' : None}
         if password is not None:
             rset = self.source.syntax_tree_search(session, self._passwd_rqlst, args)
             try: