GNOME Bugzilla – Bug 732286
Disable or fix Pastebin function in debug window to protect user data
Last modified: 2018-05-22 16:31:08 UTC
See my comments at https://bugzilla.gnome.org/show_bug.cgi?id=658724#c19 and https://bugzilla.gnome.org/show_bug.cgi?id=658724#c20 on the bug for original implementation of this button. At present the button: * Doesn't warn the user/confirm before sending. * Posts as a guest user, publicly, with no expiry, allowing only a manual abuse takedown request, which takes up to 24 hours, by which time the page in my case was already crawled by both Google and another bot *designed* to trawl for sensitive data. * Goes against Pastebin's AUP regarding the posting of sensitive data. In my case it submitted the SIP number I was trying to call, and my SIP user account and endpoint, as well as my local user account name. Additionally, some bug somehow triggered the button immediately on my opening the debug window, without my clicking it. I have asked Pastebin to revoke the API key used in Empathy (as mentioned in the other bug) as it is being used in released versions in an inappropriate manner per their AUP. I'd suggest that the responsible thing to do would be for the API key owner (Chandni I believe) to revoke it herself anyway and for a new key to be obtained as and when this feature is modified to fix the above problems.
Created attachment 284384 [details] [review] debug-window: use a #define for the API key
Created attachment 284385 [details] [review] debug-window: set an expire date on pastebin upload We don't want the logs to stay stored forever on pastebin's servers. One month should be enough.
Created attachment 284386 [details] [review] debug-window: upload logs to pastebin as 'unlisted' We only want the people with the link to be able to see the logs.
Created attachment 284387 [details] [review] debug-window: ask for confirmation before uploading logs to pastebin
-- GitLab Migration Automatic Message -- This bug has been migrated to GNOME's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/empathy/issues/789.