Closed
Bug 842062
Opened 12 years ago
Closed 12 years ago
Everything.me logs all API requests
Categories
(Firefox OS Graveyard :: Gaia::Everything.me, defect)
Tracking
(b2g18 fixed, b2g18-v1.0.0 wontfix, b2g18-v1.0.1 wontfix)
RESOLVED
FIXED
People
(Reporter: st3fan, Assigned: evyatar)
References
Details
Attachments
(1 file)
(deleted),
text/html
|
crdlc
:
review+
lsblakk
:
approval-gaia-v1+
|
Details |
Evertyhing.me logs all API request
% cd gaia/apps/homescreen/everything.me
% ack Evme.Utils.log
js/Brain.js
107: Evme.Utils.log('Callback: ' + _class + '.' + _event);
112: Evme.Utils.log('CB Error! ' + ex.message);
510: Evme.Utils.log('{' + s.join('},{') + '}');
1353: Evme.Utils.log("DoATAPI.request " + getRequestUrl(data));
1373: Evme.Utils.log('API Client Error: ' + data.exception.message);
1378: Evme.Utils.log('API Server Error: ' + JSON.stringify(data.response));
The code for Evme.Utils.log() simply does a dump()
Specially the logging on DoATAPI.request is worrysome as it logs all API requests. Those include personal detail like search queries, session ids and device identifiers and also the Everything.me API key.
It is highly recomended to only log in a special debug build and be as quiet as possible for a production build. I don't think that is currently happening.
The logs are not persisted to disk but a good amount of logging can still easily be recovered with adb.
Comment 1•12 years ago
|
||
Stefan, is there a setting we can use as a condition to logging?
Flags: needinfo?(sarentz)
Comment 2•12 years ago
|
||
Is using console.debug going to eliminate logs in production?
Comment 3•12 years ago
|
||
This appears to be privacy and user data exposure, at first glance.
Flags: needinfo?(sstamm)
Comment 4•12 years ago
|
||
Console logging is disabled by default in production builds so you can use that instead. dump() should not even work at all from content js, but that's another topic...
Comment 6•12 years ago
|
||
(In reply to Sid Stamm [:geekboy or :sstamm] from comment #5)
> dietrich: what info do you need from me on this?
Nm, per comment #4.
Comment 7•12 years ago
|
||
Fabrice, are dogfood builds production builds?
If that's the case, then the only issue would be developers sending their private information to E.me.
Comment 8•12 years ago
|
||
(In reply to Dietrich Ayala (:dietrich) from comment #7)
> Fabrice, are dogfood builds production builds?
Yes
Reporter | ||
Comment 9•12 years ago
|
||
(In reply to Dietrich Ayala (:dietrich) from comment #7)
> Fabrice, are dogfood builds production builds?
>
> If that's the case, then the only issue would be developers sending their
> private information to E.me.
Dietrich, I don't think the issue here is that info is sent back to the e.me servers. I have filed bug 831494 for that in the past.
The only issue for this bug is that the API requests are logged using dump(). I think we have a good solution for that now if they start using console.log() instead, which is disabled by default.
Or are you saying e.me should be disabled completely for developer builds? I have no opinion on that but if you think that is appropriate then please file a separate bug.
Flags: needinfo?(sarentz)
Updated•12 years ago
|
Assignee: nobody → evyatar
Assignee | ||
Comment 10•12 years ago
|
||
replacing all dump() calls with console.log()
Attachment #717594 -
Flags: review?(crdlc)
Updated•12 years ago
|
Attachment #717594 -
Flags: review?(crdlc) → review+
Comment 11•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Comment 12•12 years ago
|
||
Comment on attachment 717594 [details]
Patch - redirect to github PR
NOTE: Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings.
[Approval Request Comment]
Bug caused by (feature/regressing bug #):
User impact if declined: maybe security issue
Testing completed: yes
Risk to taking this patch (and alternatives if risky): no risk
String or UUID changes made by this patch:
Attachment #717594 -
Flags: approval-gaia-v1?
Comment 13•12 years ago
|
||
Comment on attachment 717594 [details]
Patch - redirect to github PR
approving for uplift to v1-train - this is only affecting developer builds and is a low risk fix.
Attachment #717594 -
Flags: approval-gaia-v1? → approval-gaia-v1+
Updated•12 years ago
|
Comment 14•12 years ago
|
||
v1-train@98ef159
You need to log in
before you can comment on or make changes to this bug.
Description
•