[jira] [Closed] (COUCHDB-2949) Replications which fail to start dump creds into the logs

Mike Wallace (JIRA) Mon, 15 Feb 2016 13:10:03 -0800

     [ 
https://issues.apache.org/jira/browse/COUCHDB-2949?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Mike Wallace closed COUCHDB-2949.
---------------------------------
       Resolution: Fixed
    Fix Version/s: 2.0.0

This specific case is fixed however it is still possible for creds to leak into 
log files as documented over in 
https://issues.apache.org/jira/browse/COUCHDB-2952

> Replications which fail to start dump creds into the logs
> ---------------------------------------------------------
>
>                 Key: COUCHDB-2949
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-2949
>             Project: CouchDB
>          Issue Type: Bug
>          Components: Replication
>            Reporter: Mike Wallace
>             Fix For: 2.0.0
>
>
> If a replication fails to start then the `#rep` record is logged [1]. This 
> can contain credentials in either the source or target `#httpdb` records, 
> either in urls or the authorization header.
> This can be reproduced by posting a replication document which specifies a 
> replication from a database that doesn't exist and following the logs, e.g.: 
> https://gist.github.com/mikewallace1979/757a48bce6b84fbf080c
> Note that the creds are exposed both when they are in the source/target url 
> or in the `Authorization` header.
> [1] 
> https://github.com/apache/couchdb-couch-replicator/blob/master/src/couch_replicator.erl#L519-L520



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Closed] (COUCHDB-2949) Replications which fail to start dump creds into the logs

Reply via email to