logging-log4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Poorna Subhash P (JIRA)" <j...@apache.org>
Subject [jira] [Created] (LOG4J2-605) NoSQL appender logging password in clear text.
Date Tue, 15 Apr 2014 06:22:17 GMT
Poorna Subhash P created LOG4J2-605:

             Summary: NoSQL appender logging password in clear text.
                 Key: LOG4J2-605
                 URL: https://issues.apache.org/jira/browse/LOG4J2-605
             Project: Log4j 2
          Issue Type: Bug
          Components: Appenders
    Affects Versions: 2.0-rc1
            Reporter: Poorna Subhash P
            Priority: Critical

When using Mongo NoSQL appender and enabled configuration status =debug, the mongodb password
is logged in clear text. Following is sample log statement.

2014-04-15 11:29:52,008 DEBUG Calling createNoSQLProvider on class org.apache.logging.log4j.core.appender.db.nosql.mongodb.MongoDBProvider
for element MongoDb with params(collectionName="log4j", writeConcernConstant="null", writeConcernConstantClass="null",
databaseName="logdb", server="localhost", port="27017", username="user", password="pw", factoryClassName="null",

However, in below statement it gives passwordhash.

2014-04-15 11:29:52,476 DEBUG Calling createAppender on class org.apache.logging.log4j.core.appender.db.nosql.NoSQLAppender
for element NoSql with params(name="mongo", ignoreExceptions="null", null, bufferSize="null",
MongoDb(mongoDb{ database=logdb, server=localhost, port=270171, username=user, passwordHash=4834821b7ecd2e7b7c571c0488189821

2014-04-15 11:29:52,477 DEBUG Starting NoSQLDatabaseManager noSqlManager{ description=mongo,
bufferSize=0, provider=mongoDb{ database=logdb, server=localhost, port=27017, username=user,
passwordHash=4834821b7ecd2e7b7c571c0488189821 } }

Either the first statement has to be removed (or) change to print passwordhash.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
For additional commands, e-mail: log4j-dev-help@logging.apache.org

View raw message