Don't log passwords in cleartext on every login

[SoerenBusse]

Hey there,

the Glados server is logging the password of every login attempt in cleartext to the log file (/var/lib/glados/runtime/logs/app.log). This is because it's dumping the $_POST variable.

The same issue exists in exceptions which may contain the password in their stacktrace:

#7 /usr/share/glados/models/LoginForm.php(100): app\models\UserAuth::findByCredentials('Username', 'VERYSECRETPASSWORD')
#8 /usr/share/glados/models/LoginForm.php(54): app\models\LoginForm->getUserAuth()
#9 /usr/share/yii2/yiisoft/yii2/validators/InlineValidator.php(84): app\models\LoginForm->authenticate('password', NULL, Object(yii\validators\InlineValidator), 'VERYSECRETPASSWORD')

This is a big security issue and should be fixed.

[chaoos]

Hi Soeren

Thank you for pointing that out. It's solved (see commit https://github.com/imedias/glados/commit/c82e30e9701d0e92ff11c07fb59ccc0c866689a4) This will be applied in the next release version 1.0.9. The masked login entry now looks like

$_POST = [
    '_csrf' => 'bif7_MJ0B56UCqL7J2o5DVcM314h99EHvIuHodA7oto4fbOGikBF6_5s5JFJAGxpM2uwNRC_jmvrybHPlU7Kgw=='
    'LoginForm' => [
        'username' => 'user'
        'password' => '***'
        'rememberMe' => '1'
    ]
    'login-button' => ''
]

Regards Roman