[KARAF-7256] Action logs could leak passwords if passed as argument or option - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 4.3.2
Fix Version/s: None
Component/s: karaf
Labels:
None

Target Version/s:

4.5.0, 4.4.8

Description

If a shell Action take a sensible argument like a password, this password will be visible every time the Action log something.

The statement is used to set the name of the thread, without obfuscating any arguments or options. The thread name is logged with the default log4j configuration.

felix-dev/Pipe.java at 3e5671ae7e5107f4f849ef9d5f0a89b1ba9d7439 · apache/felix-dev · GitHub

Using the "censor" property in @Argument or @Option doesn't change anything.

Attachments

Activity

People

Assignee:: Jean-Baptiste Onofré

Reporter:: J. Brébec

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 17/Sep/21 07:06

Updated:: 05/Nov/24 12:57