Thanks, and I'll CC your comments to the debian bug, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545322
>>>>> "DH" == DreamHost Sales Team <sa...@dreamhost.com> writes: >> Every once in a while, there is a "hiccup" and stats passwords end up in >> Analog reports. Thus the several users I have established stats accounts >> for can see them. >> >> These URLs are valid http://user:pas...@example.com/ URLs, it is just >> that for some reason they ended up in the logs that day, instead, and >> just leaving safe 401 messages etc. in log files. >> >> Therefore please remove this one file, >> jida...@hoffa:~$ find logs -type f ! -name \*.png |2>&- xargs zgrep -l >> '://.\+:....@.\+/stats' >> [[snip]] >> >> And you perhaps should check all accounts for other occurrences. >> >> In a couple days I'll post a discussion list item alerting other users >> to do the above find(1) check to see if they have any lying around too. >> >> I even filed a bug upstream "in case DH never fixes it at their end": >> #545322 - mask user:password URL strings - Debian Bug report logs >> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545322 DH> Sorry for the trouble that this has caused. I believe that this is likely DH> done when support visits your stats for some reason, like if you were to DH> write in about them and we needed to check them out. [ Uh oh, vicious circle :-) ] DH> I would tend to blame Analog for this, for not removing these or hiding DH> these log entries. I believe the way to reports stats is "unintelligent" DH> in the sense that it just looks at the log file and then displays DH> everything it finds. I believe that these logs *should* appear in Apache DH> logs, since it may be useful for troubleshooting but Analog should DH> definitely not display these. DH> If you wind up getting them to change the code in Analog, that'd be DH> awesome and I'm sure I can get our administrators to push out a change to DH> start using that new version instead. You may also want to submit a DH> suggestion about this through your control panel here: DH> https://panel.dreamhost.com/?tree=home.sugg Errg, tried that system once. Fear the interface. DH> I hope that helps some. Write back if I can do anything else for you. DH> Thanks, DH> Mike S DH> -- DH> DreamHost Sales Team + sa...@dreamhost.com DH> "We host your dreams" https://dreamhost.com/signup/ DH> http://www.dreamhost.com/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
