Error log contains clear-text password when Net_Sieve is missing

[doktoil-makresh]

Hi
When you enable managesieve plugin and PHP Net_Sieve module is missing, Roundcube error log contains clear-text password:
[06-Dec-2017 14:12:43 Europe/Berlin] PHP Fatal error: Uncaught Error: Class 'Net_Sieve' not found in /usr/share/roundcube/plugins/sieverules/lib/Roundcube/rcube_sieve.php:50
Stack trace:
#0 /usr/share/roundcube/plugins/sieverules/sieverules.php(1891): rcube_sieve->__construct('mailaddress@...', 'CLEAR_TEXT_PASSWORD', 'localhost', 4190, NULL, false, 'roundcube', '/var/lib/roundc...', false, NULL, NULL, NULL)
#1 /usr/share/roundcube/plugins/sieverules/sieverules.php(314): sieverules->_startup()
#2 /usr/share/roundcube/program/lib/Roundcube/rcube_plugin_api.php(491): sieverules->init_html()
#3 /usr/share/roundcube/index.php(277): rcube_plugin_api->exec_action('plugin.sieverul...')
#4 {main}
thrown in /usr/share/roundcube/plugins/sieverules/lib/Roundcube/rcube_sieve.php on line 50

When PHP Net_Sieve is installed, this log is not triggered anymore, hence password is not readable anymore.

OS: Debian 9.
Debian RoundCube package version: 1.2.3+dfsg.1-4+deb9u1
Debian Roundcube extra-plugins package version: 1.2.1-20160803
Managesieve plugin version (according to Changelog file): 8.6 [2016-04-06]

[alecpl]

That will be packaging issue. We do not manage Debian packages.

[doktoil-makresh]

Hi,

OK, this is a packaging issue (missing dependency) but anyway, is it expected that Roundcube error log reports username and password in clear-text ?

[alecpl]

This is PHP error stack trace. We can't really control that. We could only check for Net_Sieve existence before creating rcube_sieve object. But we do not do such things in other places, so we'll not do this here, I guess.