[kmail2] [Bug 374749] New: privacy leak in search debug output
Martin Steigerwald
bugzilla_noreply at kde.org
Sun Jan 8 12:41:20 GMT 2017
https://bugs.kde.org/show_bug.cgi?id=374749
Bug ID: 374749
Summary: privacy leak in search debug output
Product: kmail2
Version: 5.2.3
Platform: Other
OS: Linux
Status: UNCONFIRMED
Severity: normal
Priority: NOR
Component: search
Assignee: kdepim-bugs at kde.org
Reporter: Martin at Lichtvoll.de
Target Milestone: ---
This debug output might be done by some Akonadi component. Feel free to
reassign. Akonadi and KDEPIM is 16.04.3 from Debian Unstable packages (Debian
unfortunately has no newer packages due to difficultity / time constraints
regarding packaging Qt Webengine which is needed for newer KDEPIM versions).
After starting KMail on command line it outputs search debug messages which
reveal the exact search query including the mail address being searched for.
# How to reproduce
- Start kmail on console
You may need to do a search, but on my system it automatically does this one
search on startup, querying whatever mail item is highlighted after start of
KMail.
# Actual results
When starting KMail via desktop session this goes to ~/.xsession-errors and/or
systemd-journald user session login and thus leaks private information to log
files.
Debug output is disabled globally in kdebugdialog, which I learnt before may
not yet used anymore.
Executing search "searchUpdate-1483877954"
searchUpdateResultsAvailable 396 0 results
Got 0 results, out of which 0 are already in the collection
Added 0
Search done "searchUpdate-1483877954" (without remote search)
Search update finished
All results: 0
Removed results: 0
Executing search "searchUpdate-1483877954"
searchUpdateResultsAvailable 395 0 results
Got 0 results, out of which 0 are already in the collection
Added 0
Search done "searchUpdate-1483877954" (without remote search)
Search update finished
All results: 0
Removed results: 0
posting retrieval request for item 3013668 there are 1 queues and 0 items
in mine
request for item 3013668 still pending - waiting
processing retrieval request for item 3013668 parts: ("RFC822", "HEAD") of
resource: "akonadi_maildir_resource_0"
continuing
request for item 3013668 succeeded
Database "akonadi" opened using driver "QMYSQL"
SEARCH:
Query: "{\n \"limit\": -1,\n \"negated\": false,\n \"rel\":
1,\n \"subTerms\": [\n {\n \"cond\": 0,\n
\"key\": \"email\",\n \"negated\": false,\n \"value\":
\"bugzilla_noreply at kde.org\"\n }\n ]\n}\n"
MimeTypes: ("text/directory")
Collections: QVector(0, 276)
Remote: false
Recursive true
Executing search "kmail2-1186278907-SearchSession"
Search done "kmail2-1186278907-SearchSession" (without remote search)
Result: 0 matches
SEARCH:
Query: "{\n \"limit\": -1,\n \"negated\": false,\n \"rel\":
1,\n \"subTerms\": [\n {\n \"cond\": 0,\n
\"key\": \"email\",\n \"negated\": false,\n \"value\":
\"bugzilla_noreply at kde.org\"\n }\n ]\n}\n"
MimeTypes: ("text/directory")
Collections: QVector(0, 276)
Remote: false
Recursive true
Executing search "kmail2-1186278907-SearchSession"
Search done "kmail2-1186278907-SearchSession" (without remote search)
Result: 0 matches
Executing search "searchUpdate-1483877969"
searchUpdateResultsAvailable 396 0 results
Got 0 results, out of which 0 are already in the collection
Added 0
Search done "searchUpdate-1483877969" (without remote search)
Search update finished
All results: 0
Removed results: 0
Executing search "searchUpdate-1483877969"
searchUpdateResultsAvailable 395 0 results
Got 0 results, out of which 0 are already in the collection
Added 0
Search done "searchUpdate-1483877969" (without remote search)
Search update finished
All results: 0
Removed results: 0
# Expected results
No debug output which leaks privacy sensitive information in production builds.
Preferably no debug output at all unless manually enabled. Ideally also
sanitize optionally switchable debug output which are intended to be included
in bug reports.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the Kdepim-bugs
mailing list