Bug#775755: Logs usernames filled into login dialogs

Josh Triplett josh at joshtriplett.org
Tue Jan 20 02:33:15 UTC 2015 

On Tue, Jan 20, 2015 at 11:19:06AM +0900, Mike Hommey wrote:
> On Mon, Jan 19, 2015 at 05:56:46PM -0800, Josh Triplett wrote:
> > On Tue, Jan 20, 2015 at 10:39:21AM +0900, Mike Hommey wrote:
> > > On Mon, Jan 19, 2015 at 05:05:48PM -0800, Josh Triplett wrote:
> > > > On Tue, Jan 20, 2015 at 07:56:16AM +0900, Mike Hommey wrote:
> > > > > On Mon, Jan 19, 2015 at 08:38:07AM -0800, Josh Triplett wrote:
> > > > > > Package: iceweasel
> > > > > > Version: 32.0-1
> > > > > > Severity: important
> > > > > > Tags: security
> > > > > > 
> > > > > > iceweasel seems to have some kind of debugging message that logs values filled
> > > > > > in by the password manager, producing lines like these:
> > > > > > 
> > > > > > Jan 19 08:35:10 thin iceweasel.desktop[21101]: field value:
> > > > > > Jan 19 08:35:10 thin iceweasel.desktop[21101]: selectedLogin value: josh at joshtriplett.org
> > > > > > Jan 19 08:35:14 thin iceweasel.desktop[21101]: field value: josh at joshtriplett.org
> > > > > > Jan 19 08:35:14 thin iceweasel.desktop[21101]: selectedLogin value: josh at joshtriplett.org
> > > > > 
> > > > > What if you turn javascript.options.showInConsole to false?
> > > > 
> > > > No change; all of those messages still appear.
> > > 
> > > Where are these showing up? for what site? Does it happen if you
> > > downgrade to 31 or upgrade to 35?
> > 
> > Any site for which I have a username and password remembered in the
> > password manager.  gandi.net, patreon.com, twitter.com, ...
> > 
> > It doesn't seem to happen in 35.
> 
> Does it happen with 31? I can't reproduce with either version, and you
> still didn't tell where that log is showing up?

I'd prefer not to downgrade Firefox; I've encountered non-trivial
problems with my profile when I've done so in the past.

And when you said "Where are these showing up?", I thought you meant
"where on the web", which I answered; I didn't realize you meant "what
log".

They show up in Firefox's stdout or stderr.  Once upon a time they would
have ended up in .xsession-errors; now they end up in user.log and the
journal.

A quick search for "field value" and "selectedLogin value" shows other
reports of firefox producing this output.

- Josh Triplett

More information about the pkg-mozilla-maintainers mailing list