Config error should not lead to user passwords in log

[nberlee]

1. Configure a functional ldap config and use an illegal field in 'Internal Username Attribute'
2. Log in using an ldap account
3. Check the nextcloud.log for [password] =>

Expected behaviour

a vardump without a valid password such as:
{"reqId":"2iSjxR/DAO5rfJaU9p/S","remoteAddr":"172.18.22.218","app":"no app in context","message":"$params["uid"] was missing. Transferred value: Array\n(\n [run] => 1\n [uid] => \n [password] => *** OBFUSCATED ***\n)\n","level":3,"time":"2016-11-24T10:37:30+00:00","method":"POST","url":"/index.php/login","user":"--"}

Actual behaviour

{"reqId":"2iSjxR/DAO5rfJaU9p/S","remoteAddr":"172.18.22.218","app":"no app in context","message":"$params["uid"] was missing. Transferred value: Array\n(\n [run] => 1\n [uid] => \n [password] => [MyRealPassword]]\n)\n","level":3,"time":"2016-11-24T10:37:30+00:00","method":"POST","url":"/index.php/login","user":"--"}

Server configuration

Operating system:
Alpine

Web server:
Nginx 1.10.2

Database:
Galera MariaDB

PHP version:
PHP 7.0.13
Nextcloud version: (see Nextcloud admin page)
10.0.1 (stable)

Updated from an older Nextcloud/ownCloud or fresh install:
fresh

Where did you install Nextcloud from:
Downloaded from nextcloud.com

Signing status:

Signing status

Login as admin user into your Nextcloud and access 
http://example.com/index.php/settings/integrity/failed 
paste the results here.

No errors have been found.

List of activated apps:

App list

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
from within your Nextcloud installation folder

Enabled:

• activity: 2.3.2
• admin_audit: 1.0.0
• comments: 1.0.0
• dav: true
• federatedfilesharing: true
• files: true
• files_external: 1.0.2
• files_pdfviewer: 0.8.1
• files_sharing: 1.0.0
• files_versions: 1.3.0
• html5_videoplayer: 1.0
• provisioning_api: 1.0.0
• richdocuments: 1.1.14
• serverinfo: 1.1.1
• theming: 1.0.1
• user_ldap: 1.0.1
• workflowengine: true
  Disabled:
• encryption
• external
• federation
• files_accesscontrol
• files_automatedtagging
• files_retention
• files_texteditor
• files_trashbin
• files_videoplayer
• firstrunwizard
• gallery
• notifications
• password_policy
• survey_client
• systemtags
• templateeditor
• updatenotification
• user_external
• user_saml

The content of config/config.php:

Config report

If you have access to your command line run e.g.:
sudo -u www-data php occ config:list system
from within your Nextcloud installation folder

or 

Insert your config.php content here
(Without the database password, passwordsalt and secret)

{
"system": {
"instanceid": "oczuky2n6g01",
"passwordsalt": "REMOVED SENSITIVE VALUE",
"secret": "REMOVED SENSITIVE VALUE",
"trusted_domains": [
"*** SENSORED BY ME "
],
"datadirectory": "/var/www/html/data",
"overwrite.cli.url": "https://files.SENSORED THE REST",
"dbtype": "mysql",
"version": "9.1.1.5",
"dbname": "nextcloud",
"dbhost": "datom.prod. SENSORED BY ME *",
"dbport": "",
"dbtableprefix": "oc_",
"dbuser": "REMOVED SENSITIVE VALUE",
"dbpassword": "REMOVED SENSITIVE VALUE",
"logtimezone": "UTC",
"installed": true,
"mail_from_address": "nextcloud",
"mail_smtpmode": "php",
"mail_domain": " SENSORED BY ME ***",
"ldapIgnoreNamingRules": false,
"ldapProviderFactory": "\OCA\User_LDAP\LDAPProviderFactory",
"memcache.local": "\OC\Memcache\APCu",
"appstore.experimental.enabled": true,
"loglevel": 0,
"maintenance": false
}
}

Are you using external storage, if yes which one: local/smb/sftp/...
smb
Are you using encryption: yes/no
no
Are you using an external user-backend, if yes which one: LDAP/ActiveDirectory/Webdav/...
ActiveDirectory

LDAP configuration (delete this part if not used)

LDAP config

With access to your command line run e.g.:
sudo -u www-data php occ ldap:show-config
from within your Nextcloud installation folder

Without access to your command line download the data/owncloud.db to your local
computer or access your SQL server remotely and run the select query:
SELECT * FROM `oc_appconfig` WHERE `appid` = 'user_ldap';


Eventually replace sensitive data as the name/IP-address of your LDAP server or groups.

+-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Configuration | s01 |
+-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 1 |
| hasPagedResultSupport | |
| homeFolderNamingRule | attr:cn |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | SENSORED |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | displayName;sAMAccountName;mail |
| ldapBackupHost | ldaps://dc2a.SENSORED THE REST |
| ldapBackupPort | 636 |
| ldapBase | SENSORED |
| ldapBaseGroups | OU=Groups,OU=Global,SENSORED THE REST |
| ldapBaseUsers | SENSORED THE REST |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | cn |
| ldapExpertUsernameAttr | cn |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (&(|(objectclass=group))) |
| ldapGroupFilterGroups | SENSORED |
| ldapGroupFilterMode | 1 |
| ldapGroupFilterObjectclass | group |
| ldapGroupMemberAssocAttr | member |
| ldapHost | ldaps://dc1a.SENSORED THE REST |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(&(objectCategory=Person)(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=SENSORED THE REST))(|(samaccountname=%uid)(|(mailPrimaryAddress=%uid)(mail=%uid)))) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 1 |
| ldapOverrideMainServer | |
| ldapPagingSize | 0 |
| ldapPort | 636 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserDisplayName | sAMAccountName |
| ldapUserDisplayName2 | displayname |
| ldapUserFilter | (&(objectCategory=Person)(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=SENSORED THE REST)) |
| ldapUserFilterGroups | AllowNextCloud |
| ldapUserFilterMode | 1 |
| ldapUserFilterObjectclass | user |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 1 |
| useMemberOfToDetectMembership | 1 |
+-------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Client configuration

Browser:

Operating system:

Logs

Web server error log

Web server error log

``` Insert your webserver log here ```

Nextcloud log (data/nextcloud.log)

Nextcloud log

``` Insert your Nextcloud log here ```

Browser log

Browser log

``` Insert your browser log here, this could for example include:

a) The javascript console log
b) The network log
c) ...

</details>

[nickvergessen]

#2306 should fix this.