Latest commit to dev prevents logging passphrase length to STDOUT.
@onryo can you show me an example of any other sensitive metadata that is logged to STDOUT ? I couldn't find anything else in this repo but maybe it's done in dependency repos such as silentdragonlite-cli etc
Latest commit to `dev` prevents logging passphrase length to STDOUT.
@onryo can you show me an example of any other sensitive metadata that is logged to STDOUT ? I couldn't find anything else in this repo but maybe it's done in dependency repos such as silentdragonlite-cli etc
The seed phrase is specified when running silentdragonlite-cli but I think it is where users are supposed to clean terminal history, we can't help with that.
I still can see it:
```
operator() : passphrase length= 69
```
The seed phrase is specified when running silentdragonlite-cli but I think it is where users are supposed to clean terminal history, we can't help with that.
I couldn't find how to do both but when restoring with seed:
Initializing with server: https://lite.hush.is, seed: <seed phrase>
Config created successfully
Setting birthday to 123456
During wallet creation we can avoid tracing the seed phrase in https://git.hush.is/hush/SilentDragonLite/src/branch/dev/src/firsttimewizard.cpp#L304 and also birthday in https://git.hush.is/hush/SilentDragonLite/src/branch/dev/src/firsttimewizard.cpp#L328
I couldn't find how to do both but when restoring with seed:
```
Initializing with server: https://lite.hush.is, seed: <seed phrase>
Config created successfully
Setting birthday to 123456
```
@onryo ok, both of those things have now been fixed. Logging the seed was in SDL code but logging the birthday was in sdl-cli code.
Since both changes are "trivial" in the sense that all they do is comment out a line that prints to STDOUT, I think they are fine to merge in after testing the 2.0.1-beta or you can make a new beta release for them, that is up to you. Since the birthday fix is in another repo, that will require updating commit id's and cargo stuff.
@onryo ok, both of those things have now been fixed. Logging the seed was in SDL code but logging the birthday was in sdl-cli code.
Since both changes are "trivial" in the sense that all they do is comment out a line that prints to STDOUT, I think they are fine to merge in after testing the 2.0.1-beta or you can make a new beta release for them, that is up to you. Since the birthday fix is in another repo, that will require updating commit id's and cargo stuff.
duke
onryo
Latest commit to
devprevents logging passphrase length to STDOUT.@onryo can you show me an example of any other sensitive metadata that is logged to STDOUT ? I couldn't find anything else in this repo but maybe it's done in dependency repos such as silentdragonlite-cli etc
I still can see it:
The seed phrase is specified when running silentdragonlite-cli but I think it is where users are supposed to clean terminal history, we can't help with that.
@onryo thanks for finding that, I fixed it in one place but it was also in the first time wizard. Just fixed that on
devbranch.During wallet creation we can avoid tracing the seed phrase in https://git.hush.is/hush/SilentDragonLite/src/branch/dev/src/firsttimewizard.cpp#L304 and also birthday in https://git.hush.is/hush/SilentDragonLite/src/branch/dev/src/firsttimewizard.cpp#L328
I couldn't find how to do both but when restoring with seed:
@onryo ok, both of those things have now been fixed. Logging the seed was in SDL code but logging the birthday was in sdl-cli code.
Since both changes are "trivial" in the sense that all they do is comment out a line that prints to STDOUT, I think they are fine to merge in after testing the 2.0.1-beta or you can make a new beta release for them, that is up to you. Since the birthday fix is in another repo, that will require updating commit id's and cargo stuff.
Closing. Please make new issues for other sensitive data that should not be leaked to STDOUT