Sensitive parameters are not fully replaced in log file

[AykutCevik]

Problem:
I found my password and a part of an auth token as plain text in the nextcloud log file.
It should be replaced with *** sensitive parameters replaced ***.
It seems that the macOS Contacts Sync produces this error. I generated an app token without filesystem access for the sync, which leads to errors in log file.

Here is my log file where I replaced the username with [ActualUsername], the password with [UserPassword] and an auth token with [SomeToken]:

Log file

	OC\ForbiddenException: This request is not allowed to access the filesystem
/lib/private/Files/View.php - line 1136: OC\Lockdown\Filesystem\NullStorage->mkdir('files_encryptio...')
/lib/private/Files/View.php - line 269: OC\Files\View->basicOperation('mkdir', '/[ActualUsername]/files_en...', Array)
/lib/private/Encryption/Keys/Storage.php - line 370: OC\Files\View->mkdir('/[ActualUsername]/files_en...')
/lib/private/Encryption/Keys/Storage.php - line 230: OC\Encryption\Keys\Storage->keySetPreparation('/[ActualUsername]/files_en...')
/lib/private/Encryption/Keys/Storage.php - line 115: OC\Encryption\Keys\Storage->setKey('/[ActualUsername]/files_en...', '-----BEGIN PUBL...')
/apps/encryption/lib/KeyManager.php - line 287: OC\Encryption\Keys\Storage->setUserKey('[ActualUsername]', 'publicKey', '-----BEGIN PUBL...', 'OC_DEFAULT_MODU...')
/apps/encryption/lib/KeyManager.php - line 246: OCA\Encryption\KeyManager->setPublicKey('[ActualUsername]', '-----BEGIN PUBL...')
/apps/encryption/lib/Users/Setup.php - line 77: OCA\Encryption\KeyManager->storeKeyPair('[ActualUsername]', '[UserPassword]...', Array)
/apps/encryption/lib/Hooks/UserHooks.php - line 183: OCA\Encryption\Users\Setup->setupUser('[ActualUsername]', '[UserPassword]...')
/lib/private/legacy/hook.php - line 106: OCA\Encryption\Hooks\UserHooks->login(*** sensitive parameters replaced ***)
/lib/private/Server.php - line 363: OC_Hook emit('OC_User', 'post_login', Array)
[internal function] OC\Server->OC\{closure}(Object(OC\User\User), '[UserPassword]...')
/lib/private/Hooks/EmitterTrait.php - line 99: call_user_func_array(Object(Closure), Array)
/lib/private/Hooks/PublicEmitter.php - line 33: OC\Hooks\BasicEmitter->emit('\\OC\\User', 'postLogin', Array)
/lib/private/User/Session.php - line 359: OC\Hooks\PublicEmitter->emit('\\OC\\User', 'postLogin', Array)
/lib/private/User/Session.php - line 591: OC\User\Session->completeLogin(*** sensitive parameters replaced ***)
/lib/private/User/Session.php - line 324: OC\User\Session->loginWithToken('[SomeToken]...')
/lib/private/User/Session.php - line 400: OC\User\Session->login(*** sensitive parameters replaced ***)
/apps/dav/lib/Connector/Sabre/Auth.php - line 129: OC\User\Session->logClientIn(*** sensitive parameters replaced ***)
/3rdparty/sabre/dav/lib/DAV/Auth/Backend/AbstractBasic.php - line 105: OCA\DAV\Connector\Sabre\Auth->validateUserPass(*** sensitive parameters replaced ***)
/apps/dav/lib/Connector/Sabre/Auth.php - line 252: Sabre\DAV\Auth\Backend\AbstractBasic->check(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/apps/dav/lib/Connector/Sabre/Auth.php - line 154: OCA\DAV\Connector\Sabre\Auth->auth(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php - line 201: OCA\DAV\Connector\Sabre\Auth->check(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php - line 150: Sabre\DAV\Auth\Plugin->check(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
[internal function] Sabre\DAV\Auth\Plugin->beforeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/3rdparty/sabre/event/lib/EventEmitterTrait.php - line 105: call_user_func_array(Array, Array)
/3rdparty/sabre/dav/lib/DAV/Server.php - line 466: Sabre\Event\EventEmitter->emit('beforeMethod', Array)
/3rdparty/sabre/dav/lib/DAV/Server.php - line 254: Sabre\DAV\Server->invokeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/apps/dav/appinfo/v1/carddav.php - line 88: Sabre\DAV\Server->exec()
/remote.php - line 162: require_once('/home/[ActualUsername]/web...')
{main}

Server configuration

Operating system:
Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial

Web server:
nginx version: nginx/1.10.3 (Ubuntu)

Database:
Ver 14.14 Distrib 5.7.19, for Linux (x86_64)

PHP version:
PHP 7.0.22-0ubuntu0.16.04.1

Nextcloud version:
12.0.3.3 stable channel

Updated from an older Nextcloud/ownCloud or fresh install:
Was once Owncloud, than changed to Nextcloud. Instance since nextcloud 10.

Where did you install Nextcloud from:
Downloaded archive file from nextcloud.com

Signing status:
All checks passed.

List of activated apps:

App list

Enabled:
  - activity: 2.5.2
  - bruteforcesettings: 1.0.2
  - calendar: 1.5.5
  - comments: 1.2.0
  - contacts: 1.5.3
  - dav: 1.3.0
  - encryption: 1.6.0
  - federatedfilesharing: 1.2.0
  - federation: 1.2.0
  - files: 1.7.2
  - files_pdfviewer: 1.1.1
  - files_sharing: 1.4.0
  - files_texteditor: 2.4.1
  - files_trashbin: 1.2.0
  - files_versions: 1.5.0
  - files_videoplayer: 1.1.0
  - firstrunwizard: 2.1
  - gallery: 17.0.0
  - keeweb: 0.4.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.0.0
  - nextcloud_announcements: 1.1
  - notes: 2.3.1
  - notifications: 2.0.0
  - oauth2: 1.0.5
  - password_policy: 1.2.2
  - provisioning_api: 1.2.0
  - serverinfo: 1.2.0
  - sharebymail: 1.2.0
  - systemtags: 1.2.0
  - theming: 1.3.0
  - twofactor_backupcodes: 1.1.1
  - updatenotification: 1.2.0
  - workflowengine: 1.2.0

Nextcloud configuration:

Config report

{
    "system": {
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***",
            "***REMOVED SENSITIVE VALUE***",
            "***REMOVED SENSITIVE VALUE***"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***\/owncloud-service-data",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "12.0.3.3",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "Europe\/Berlin",
        "installed": true,
        "default_language": "de",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "php",
        "loglevel": 0,
        "log_authfailip": true,
        "logfile": "***REMOVED SENSITIVE VALUE***",
        "cron_log": true,
        "enable_previews": true,
        "memcache.local": "\\OC\\Memcache\\Redis",
        "cipher": "AES-256-CFB",
        "maintenance": false,
        "theme": "",
        "filelocking.enabled": "true",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": ***REMOVED SENSITIVE VALUE***,
            "timeout": 0
        },
        "trashbin_retention_obligation": "auto",
        "asset-pipeline.enabled": true,
        "htaccess.RewriteBase": "\/",
        "updater.release.channel": "stable",
        "auth.bruteforce.protection.enabled": true
    }
}

Are you using external storage, if yes which one:
no

Are you using encryption:
yes

Are you using an external user-backend, if yes which one:
no

[AykutCevik]

Will this issue being addressed in the next milestone? Since passwords should not be present in any readable file I also would like to tell my users that I'm not logging their passwords in any case of course.

[ChristophWurst]

cc @nickvergessen

[nickvergessen]

Ah 2017, this was fixed in Oct 17:
4ae7275

[ChristophWurst]

Thanks, @nickvergessen!

[ghost]

Is it possible to temporarily enable output of sensitive data to log?

[ChristophWurst]

no

[ChristophWurst]

for questions pleas use https://help.nextcloud.com/