couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Javier Candeira (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (COUCHDB-2364) plaintext admin password remains visible if there are two [admin] sections
Date Wed, 08 Oct 2014 01:37:34 GMT

     [ https://issues.apache.org/jira/browse/COUCHDB-2364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Javier Candeira updated COUCHDB-2364:
-------------------------------------
    Priority: Critical  (was: Major)

> plaintext admin password remains visible if there are two [admin] sections
> --------------------------------------------------------------------------
>
>                 Key: COUCHDB-2364
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-2364
>             Project: CouchDB
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Database Core
>            Reporter: Javier Candeira
>            Priority: Critical
>
> How to reproduce:
> 1.
> Make a local.ini document with two [admin] sections, and the user = password line in
the second one, as the dev/run script did as of github commit d3094366b6775e7a54:
> ```
> [admins]
> ;admin = mysecretpassword
> [admins]
> candeira = candeira
> ```
> 2.
> CouchDB process will not replace the plaintext password, but merely edit in the hashed
password under the first [admin] section, and leave the second one unchanged:
> ```
> [admins]
> ;admin = mysecretpassword
> candeira = -pbkdf2-a64e124a06c9c287d5b6ce260cd9c3da4049fe2d,28ea667261c84a53a5f1d92e83f2976d,10
> [admins]
> candeira = candeira
> ```



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message