Qpid
  1. Qpid
  2. QPID-3763

AMQConnectionDelegate_0_10 incorrectly prints password to log file

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.15
    • Component/s: Java Client
    • Labels:
      None
    • Environment:

      All OS platforms.

      Description

      The AMQConnectionDelegate_0_10 prints password information to the log file. This should be replaced with the standard '******' pattern. Also, I think we should go through the JMS client and determine if this is being done anywhere else.

      1. QPID-3763.patch
        0.9 kB
        Weston M. Price

        Activity

        Hide
        Weston M. Price added a comment -

        Added standard "******" pattern for password in log file.

        Show
        Weston M. Price added a comment - Added standard "******" pattern for password in log file.
        Hide
        Weston M. Price added a comment -

        Fixed with attached patch.

        Show
        Weston M. Price added a comment - Fixed with attached patch.
        Hide
        Alex Rudyy added a comment -

        Hi Weston,

        IMHO, with current implementation seeing 6 '*' characters for a password when Kerberos (or any other non-password) authentication is used could be a bit misleading.

        I would say that it could be more clear to either
        mask each password characters with "" char and display the exact number of "" characters as the number of characters in password
        or stop printing password and any password mask characters.

        What do you think about it?

        Show
        Alex Rudyy added a comment - Hi Weston, IMHO, with current implementation seeing 6 '*' characters for a password when Kerberos (or any other non-password) authentication is used could be a bit misleading. I would say that it could be more clear to either mask each password characters with " " char and display the exact number of " " characters as the number of characters in password or stop printing password and any password mask characters. What do you think about it?
        Hide
        Weston M. Price added a comment -

        Hi Alex,
        Typically I believe masking never uses the exact number of characters from the password as this would give an indication of exactly how long the password is. Also, I believe some form of mask makes sense being that if some form of password based auth is being used, people would expect to see the standard '******' printed to the logs.

        Show
        Weston M. Price added a comment - Hi Alex, Typically I believe masking never uses the exact number of characters from the password as this would give an indication of exactly how long the password is. Also, I believe some form of mask makes sense being that if some form of password based auth is being used, people would expect to see the standard '******' printed to the logs.
        Hide
        Rajith Attapattu added a comment -

        Alex,

        I also agree with Weston. It's better to not give any hints as to what the password length etc..
        Usually the **** seems pretty standard in logs etc..

        Regards,

        Rajith

        Show
        Rajith Attapattu added a comment - Alex, I also agree with Weston. It's better to not give any hints as to what the password length etc.. Usually the **** seems pretty standard in logs etc.. Regards, Rajith

          People

          • Assignee:
            Weston M. Price
            Reporter:
            Weston M. Price
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development