[Security] Remove password hash from debug.log

warsawday · March 15, 2017, 1:22pm

Hello,

First things first - I love your work here and am a very happy user of PiHole

There is one thing I believe should be changed - the password should not be sent to developers, or even stored in the debug.log in the first place. There is no apparent legitimate reason for that.

I understand this is SHA256(SHA256()), which isn't stupid md5 or so, but simply it's not about the hash strength - as a good security practice, the passwords should not be stored in logs/hard-coded in binaries etc. The logs can be intercepted among upload to your server or any other server (if someone wishes to keep to the logs off site, for example), can be retrieved from backups or data recovery etc.

As such, I would like to request a minor change of removing the hash of the password from any logs.

diginc · March 15, 2017, 2:27pm

I think they need to at least know 2 things about the password: it exists, and it is formatted as a hash of the correct length. The value could be thrown away or obfuscated pretty easily IMO.

warsawday · March 15, 2017, 6:50pm

Not sure I follow, but the logs pretty surely make it clear it is a password.

diginc · March 15, 2017, 6:59pm

You said "There is no apparent legitimate reason for that."

I was giving you the reasons and a possible solution for someone to execute on in the future while still maintaining some of the important information.

PromoFaux · March 15, 2017, 7:02pm

I've opened a pull request that takes this into consideration. It's up to the collective development team to decide whether or not we include it.