Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-9310

On setting verbose true, UtilHttp.getParameterMap() method prints username and password in logs

    Details

    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      In UtilHttp.getParameterMap(HttpServletRequest request, Set<? extends String> nameSet, Boolean onlyIncludeOrSkip) method, following line of code prints username and password in logs when verbose is set to true.

      if (Debug.verboseOn())

      { Debug.logVerbose("Made Request Parameter Map with [" + paramMap.size() + "] Entries", module); Debug.logVerbose("Request Parameter Map Entries: " + System.getProperty("line.separator") + UtilMisc.printMap(paramMap), module); }
      1. OFBIZ-9310.patch
        0.7 kB
        Aditya Sharma

        Activity

        Hide
        aditya.sharma Aditya Sharma added a comment -

        Removed the line that prints "Request Parameter Map Entries" as it may print username and password entered by user when verbose set to true. It may not be a grave concern for staging environment as verbose are not logged there but it is still unethical to print such details.

        Show
        aditya.sharma Aditya Sharma added a comment - Removed the line that prints "Request Parameter Map Entries" as it may print username and password entered by user when verbose set to true. It may not be a grave concern for staging environment as verbose are not logged there but it is still unethical to print such details.
        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        Thanks Aditya,

        I decided to rather comment out the line which might still be useful in some cases...

        Fixed in
        trunk r1791346
        R16.11 r1791347
        R15.12 and 14.12 r1791348

        Show
        jacques.le.roux Jacques Le Roux added a comment - Thanks Aditya, I decided to rather comment out the line which might still be useful in some cases... Fixed in trunk r1791346 R16.11 r1791347 R15.12 and 14.12 r1791348
        Hide
        aditya.sharma Aditya Sharma added a comment -

        Thanks Jacques

        Show
        aditya.sharma Aditya Sharma added a comment - Thanks Jacques

          People

          • Assignee:
            jacques.le.roux Jacques Le Roux
            Reporter:
            aditya.sharma Aditya Sharma
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development

                Agile