[COUCHDB-2949] Replications which fail to start dump creds into the logs - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 2.0.0
Component/s: Replication
Labels:
None

Description

If a replication fails to start then the `#rep` record is logged [1]. This can contain credentials in either the source or target `#httpdb` records, either in urls or the authorization header.

This can be reproduced by posting a replication document which specifies a replication from a database that doesn't exist and following the logs, e.g.: https://gist.github.com/mikewallace1979/757a48bce6b84fbf080c

Note that the creds are exposed both when they are in the source/target url or in the `Authorization` header.

[1] https://github.com/apache/couchdb-couch-replicator/blob/master/src/couch_replicator.erl#L519-L520

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Mike Wallace

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 10/Feb/16 14:46

Updated:: 01/Mar/16 18:13

Resolved:: 15/Feb/16 21:09