willdean
commented
6 years ago @JeffreyHartman Thanks for this. We can sort out why this field can't cope with an angle bracket, but I don't think there's much we can do about ASP.NET's exception messages.
Passwords appearing inadvertently in logs is unfortunately a perennial problem - it's a well-known hazard of login username's on Unix-type login screens - you always get a small proportion where people have typed their password into the username field, which then gets logged.
We'll fix the underlying bug, anyway
Upon changing my Windows password, Bonobo would return a 500 error whenever I would try to log in. I checked the error log and found it was throwing a System.Web.HttpRequestValidationException. Apparently because my new Windows password had an angle bracket in it, Bonobo was crashing when I entered this character. Of more concern then the vague 500 error though, was the fact that my password was stored in plaintext in the error log as part of the stack trace obviously manually redacted from the attached stack trace. The start of the stack trace looks like this, I've replaced my password with x's:
w3wp.exe Error: 0 : Server Error occured and caught in Global.asax - System.Web.HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (Password="xxxxxxx").