Uploaded image for project: 'Continuum'
  1. Continuum
  2. CONTINUUM-2240

Passwords are exposed in request log

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.3.3 (Beta)
    • 1.3.4 (Beta)
    • None
    • None
    • 1.3.3-SNAPSHOT r777534

    Description

      Subversion passwords are exposed in plain text in the request log when adding a project, for example:

      2009_05_22.request.log:0:0:0:0:0:0:0:1%0 - - [22/May/2009:14:45:32 +0000] "GET /continuum/addMavenTwoProject.action?scmUsername=wsmoak&_checkbox_scmUseCache=true&_checkbox_nonRecursiveProject=true&buildDefinitionTemplateId=1&m2PomUrl=http%3A%2F%2Fsvn.apache.org%2Frepos%2Fasf%2Fcontinuum%2Fsandbox%2Fsimple-example%2Fpom.xml&scmPassword=mypassw0rd&selectedProjectGroup=-1 HTTP/1.1" 302 0 "" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.10) Gecko/2009042315 Firefox/3.0.10"

      I assume this is a Jetty log file that we can't do anything about. If so, we need to document how to turn off this logging, or perhaps leave it off by default and document how to turn it on if needed.

      Attachments

        Activity

          People

            ctan Maria Catherine R. Tan
            wsmoak Wendy Smoak
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: