[jira] [Commented] (CLOUDSTACK-5355) addImageStore should not log password in clear text in the log

Tue, 03 Dec 2013 16:48:21 -0800 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-5355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13838407#comment-13838407
 ] 

ASF subversion and git services commented on CLOUDSTACK-5355:
-------------------------------------------------------------

Commit 8367a8fae19bb883747a8fecfa3b00d022513104 in branch refs/heads/4.3 from 
[~minchen07]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=8367a8f ]

CLOUDSTACK-5355: addImageStore should not log password in clear text in
the log.


> addImageStore should not log password in clear text in the log
> --------------------------------------------------------------
>
>                 Key: CLOUDSTACK-5355
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5355
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: API
>    Affects Versions: 4.2.0
>            Reporter: Min Chen
>            Assignee: Min Chen
>            Priority: Critical
>             Fix For: 4.3.0
>
>
> For cifs, addImageStore are currently logging everything including username, 
> password and domain in clear text in the logs, which are specified in query 
> parameter url for the image store.
> Here's an extract from the logs: (obscured actual pwd)
> 2013-11-26 12:03:35,703 DEBUG [c.c.a.ApiServlet] 
> (catalina-exec-13:ctx-f0723f52) ===START=== 10.104.255.45 – GET 
> command=addImageStore&response=json&sessionkey=5DGP7gv1vXNaK35rAxfIEi7256o%3D&name=SS1&provider=SMB&zoneid=5a60af2b-3025-4f2a-9ecc-8e33bf2b94e3&url=cifs%3A%2F%2F10.102.192.150%2FSMB-Share%2Fsowmya%2Fsecondary%3Fuser%3Dsowmya%26password%3DXXXXX%40123%26domain%3DBLR&_=1385447356899
> 2013-11-26 12:03:35,741 INFO [o.a.c.s.d.l.CloudStackImageStoreLifeCycleImpl] 
> (catalina-exec-13:ctx-f0723f52 ctx-547cfc1f) Trying to add a new data store 
> at 
> cifs://10.102.192.150/SMB-Share/sowmya/secondary?user=sowmya&password=XXX@123&domain=BLR
>  to data center 1
> 2013-11-26 12:03:35,776 DEBUG [c.c.u.UriUtils] (catalina-exec-13:ctx-f0723f52 
> ctx-547cfc1f) foundUser istrue
> 2013-11-26 12:03:35,777 DEBUG [c.c.u.UriUtils] (catalina-exec-13:ctx-f0723f52 
> ctx-547cfc1f) foundPswd istrue
> 2013-11-26 12:03:36,011 DEBUG [c.c.a.ApiServlet] 
> (catalina-exec-13:ctx-f0723f52 ctx-547cfc1f) ===END=== 10.104.255.45 – GET 
> command=addImageStore&response=json&sessionkey=5DGP7gv1vXNaK35rAxfIEi7256o%3D&name=SS1&provider=SMB&zoneid=5a60af2b-3025-4f2a-9ecc-8e33bf2b94e3&url=cifs%3A%2F%2F10.102.192.150%2FSMB-Share%2Fsowmya%2Fsecondary%3Fuser%3Dsowmya%26password%3DXXX%40123%26domain%3DBLR&_=1385447356899



--
This message was sent by Atlassian JIRA
(v6.1#6144)

Reply via email to