continuum-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Maria Catherine Tan (JIRA)" <j...@codehaus.org>
Subject [jira] Commented: (CONTINUUM-2240) Passwords are exposed in request log
Date Mon, 27 Jul 2009 03:54:50 GMT

    [ http://jira.codehaus.org/browse/CONTINUUM-2240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=184944#action_184944
] 

Maria Catherine Tan commented on CONTINUUM-2240:
------------------------------------------------

setting the includeParams to false fixes this.

<META HTTP-EQUIV="refresh" CONTENT="2;url=<s:url includeParams="false"/>"/>

Does anyone have any objection with this change? If not i'll commit this :)

> Passwords are exposed in request log
> ------------------------------------
>
>                 Key: CONTINUUM-2240
>                 URL: http://jira.codehaus.org/browse/CONTINUUM-2240
>             Project: Continuum
>          Issue Type: Bug
>    Affects Versions: 1.3.3
>         Environment: 1.3.3-SNAPSHOT r777534
>            Reporter: Wendy Smoak
>
> Subversion passwords are exposed in plain text in the request log when adding a project,
for example:
> 2009_05_22.request.log:0:0:0:0:0:0:0:1%0 -  -  [22/May/2009:14:45:32 +0000] "GET /continuum/addMavenTwoProject.action?scmUsername=wsmoak&__checkbox_scmUseCache=true&__checkbox_nonRecursiveProject=true&buildDefinitionTemplateId=-1&m2PomUrl=http%3A%2F%2Fsvn.apache.org%2Frepos%2Fasf%2Fcontinuum%2Fsandbox%2Fsimple-example%2Fpom.xml&scmPassword=mypassw0rd&selectedProjectGroup=-1
HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.10) Gecko/2009042315
Firefox/3.0.10"
> I assume this is a Jetty log file that we can't do anything about.  If so, we need to
document how to turn off this logging, or perhaps leave it off by default and document how
to turn it on if needed.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message