Mike Wallace created COUCHDB-2952:
-------------------------------------
Summary: Teach couch_replicator to use credentials securely
Key: COUCHDB-2952
URL: https://issues.apache.org/jira/browse/COUCHDB-2952
Project: CouchDB
Issue Type: Bug
Components: Replication
Reporter: Mike Wallace
The replicator currently stores credentials needed for replication in the
gen_server state, either in the source/target URLs or the authorization header.
This means it is possible for these credentials to get dumped out to the log
file in plain text when couch_replicator terminates.
The most frequent (as observed so far) case of this was resolved over in
COUCHDB-2949 [1] however it is still possible for the gen_server state to end
up in the logs (e.g., it can end up in the Reason argument if a message is
received that doesn't match any existing callbacks).
We should therefore store the credentials somewhere other than the state -
perhaps an ets table or maybe the process dictionary.
[1] https://issues.apache.org/jira/browse/COUCHDB-2949
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
