KoLmafia barfing HTML and debug logs in PasswordHashRequest, no exception

[wrldwzrd89]

Just what the title says. It seems to be happening most often on unsupported choice adventures, like the one in Twin Peak where you can burn the hotel down.

I do not understand why KoLmafia is doing this. I do not want to post the debug logs, since they contain the FULL HTML of the page, including password hashes used at the time - which, as we all know, can be a potential account exploit vector.

The debug logs start with the usual KoLmafia header, then the fully qualified name of PasswordHashRequest, then a giant HTML dump.

 

[slyz]

I don't understand what you are reporting.

Can you explain step by step how to reproduce this? And I think you can post the debug logs as long as you log out of KoL. A new password hash is generated each time you log in, and I don't think an old password hash is of any use.

EDIT: or you can simply replace all the instances of the password hash in the file with something else.

 

[wrldwzrd89]

I don't understand what you are reporting.

Can you explain step by step how to reproduce this? And I think you can post the debug logs as long as you log out of KoL. A new password hash is generated each time you log in, and I don't think an old password hash is of any use.

EDIT: or you can simply replace all the instances of the password hash in the file with something else.

I wish I could, but... I have absolutely no idea what caused any of these events. My hunch is that some sort of debug code was accidentally left in. I just hope it doesn't recur. :3

 

[slyz]

Generally, we make debug code print things in the gCLI, not in debug logs.

 

[Catch-22]

Turn off your "verbosely log communication between KoLmafia and browser" option if you don't want it log HTML to the debug log. As to why you're getting debug logs without an exception.. Maybe you have debugging turned on? Try "debug off" in the gCLI.

 

[Bale]

Just what the title says.

I was unaware that KoLmafia has a digestive tract, let alone that it is capable of reverse peristalsis.

 

[Veracity]

I do not want to post the debug logs, since they contain the FULL HTML of the page, including password hashes used at the time - which, as we all know, can be a potential account exploit vector.

"As we all know", the password hash is valid for a single login session and is generated anew every time you log in. As slyz said, as soon as you log out, the "potential account explot vector" of the old password hash no longer exists and you can post the logs with impunity.

 

[fronobulax]

The OP is describing the expected behavior. I have a whole bunch of debug logs with HTML and password hashes. However, as Veracity describes, the hash is invalid after you log out of KoL so this is not an attack vector unless someone logs into KoL and remains logged into KoL from the time that the debug log is generated until the time the debug log is posted and thus available for exploit. If this were in Bugs/FR I would make as Not A Bug and/or Not going to fix.

If someone wanted to make a case that

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
KoLmafia v15.9 r11918, Windows 7, Java 1.6.0_37
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Please note: do not post this log in the KoLmafia thread. If you
would like the dev team to look at it, please write a bug report
at kolmafia.us. Include specific information about what you were
doing when you made this and include the log as an attachment.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Timestamp: Mon Feb 25 07:04:38 EST 2013
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

should be changed to include a warning that you should log the account out of KoL before posting the log I don't think that would hurt but, as noted, I don't think it is necessary either.

IMO. YMMV.

 

[Veracity]

Having password hashes in embedded HTML is expected behavior, although we do strip them out from the logged URLs we submit.

I don't know whether having something printed to the debug log is expected behavior for an unknown choice. *looking* I see no code to do that. Therefore, unless we can actually see your debug log, I have no clue what it thought it was doing.

 

[fronobulax]

I don't know whether having something printed to the debug log is expected behavior for an unknown choice. *looking* I see no code to do that. Therefore, unless we can actually see your debug log, I have no clue what it thought it was doing.

I think it is the expected behavior but I am certainly open to other events that would generate logs like the attached.