Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-9310

On setting verbose true, UtilHttp.getParameterMap() method prints username and password in logs

        Details

        • Sprint:
          Bug Crush Event - 21/2/2015

          Description

          In UtilHttp.getParameterMap(HttpServletRequest request, Set<? extends String> nameSet, Boolean onlyIncludeOrSkip) method, following line of code prints username and password in logs when verbose is set to true.

          if (Debug.verboseOn())

          { Debug.logVerbose("Made Request Parameter Map with [" + paramMap.size() + "] Entries", module); Debug.logVerbose("Request Parameter Map Entries: " + System.getProperty("line.separator") + UtilMisc.printMap(paramMap), module); }
          1. Text File
            OFBIZ-9310.patch
            0.7 kB
            Aditya Sharma

            Activity

            Ascending order - Click to sort in descending order
            Hide
            Permalink
            aditya.sharma Aditya Sharma added a comment -

            Removed the line that prints "Request Parameter Map Entries" as it may print username and password entered by user when verbose set to true. It may not be a grave concern for staging environment as verbose are not logged there but it is still unethical to print such details.

            Show
            aditya.sharma Aditya Sharma added a comment - Removed the line that prints "Request Parameter Map Entries" as it may print username and password entered by user when verbose set to true. It may not be a grave concern for staging environment as verbose are not logged there but it is still unethical to print such details.
            Hide
            Permalink
            jacques.le.roux Jacques Le Roux added a comment -

            Thanks Aditya,

            I decided to rather comment out the line which might still be useful in some cases...

            Fixed in
            trunk r1791346
            R16.11 r1791347
            R15.12 and 14.12 r1791348

            Show
            jacques.le.roux Jacques Le Roux added a comment - Thanks Aditya, I decided to rather comment out the line which might still be useful in some cases... Fixed in trunk r1791346 R16.11 r1791347 R15.12 and 14.12 r1791348
            Hide
            Permalink
            aditya.sharma Aditya Sharma added a comment -

            Thanks Jacques

            Show
            aditya.sharma Aditya Sharma added a comment - Thanks Jacques

              People

              • Assignee:
                jacques.le.roux Jacques Le Roux
                Reporter:
                aditya.sharma Aditya Sharma
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Development

                    Agile