[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [epf-dev] Security Questions
|
Hi Christian,
Passwords are removed from log files using filtered_parameter_logging parameter. This is feature is applied in the code see the line in
login_controller.rb
filter_parameter_logging :password, :password_confirmation
Passwords are not stored anywhere. Only a 'hash' of the password is saved to the database together with the account details (name, email). As a consequence it is not possible to recover or resend a lost password. If you look for example at
http://epf.eclipse.org/login/lost_password you will notice that you have to provide a new password. The new password will only become active after it is confirmed using the confirmation link in the email that will be send when the form is submitted.
I don't know of any other known security issues. Currently there are no issues in Eclipse Bugs regarding security.
Best Regards,
Onno
On Tue, Mar 16, 2010 at 11:45 AM,
<Christian.Kopietz@xxxxxxxxxxxxxx> wrote:
Hi There,
I’am charged with finding out if
there are any known security issues within the epf wiki? Are there logs with
personal data, and if so, for how long are they held ready by default? How are
the registered users are stored and especially how is the login password stored?
Would be nice if someone could help me out.
With kind regards
Christian Kopietz
Bachelor of Computer
Science
IT-Infrastructure
& Applications
--
Innovations Software
Technology GmbH
Bosch Group
Ziegelei 7, 88090 Immenstaad/GERMANY
Tel. +49 7545 202-251
Fax +49 7545 202-301
mailto:christian.kopietz@xxxxxxxxxxxxxx
www.innovations.de
Executives: Achim
Berger, Thomas Cotic, Thomas Schmid
Register Court Ulm
HRB 631888
This
message may contain confidential and privileged information. Any unauthorized
review, use, disclosure or distribution is prohibited. If you are not the
intended recipient, please inform us immediately and destroy this message
including all copies thereof.
_______________________________________________
epf-dev mailing list
epf-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/epf-dev