lujie created CLOUDSTACK-10423:
----------------------------------
Summary: Potential sensitive information disclosure
Key: CLOUDSTACK-10423
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10423
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Reporter: lujieAs shown at [https://github.com/apache/cloudstack/blob/bd38f0647f59e09bc0755bbf48d48fb0a21295ca/plugins/storage/image/default/src/main/java/org/apache/cloudstack/storage/datastore/lifecycle/CloudStackImageStoreLifeCycleImpl.java#L92] url could contain password or other sensitive information even we sanitize the url at line 93 and 95, but the url still be warped into exception at [https://github.com/apache/cloudstack/blob/bd38f0647f59e09bc0755bbf48d48fb0a21295ca/plugins/storage/image/default/src/main/java/org/apache/cloudstack/storage/datastore/lifecycle/CloudStackImageStoreLifeCycleImpl.java#L117] the exception will printed at [https://github.com/apache/cloudstack/blob/bd38f0647f59e09bc0755bbf48d48fb0a21295ca/server/src/main/java/com/cloud/storage/StorageManagerImpl.java#L639] and [https://github.com/apache/cloudstack/blob/bd38f0647f59e09bc0755bbf48d48fb0a21295ca/server/src/main/java/com/cloud/storage/StorageManagerImpl.java#L747] and [https://github.com/apache/cloudstack/blob/bd38f0647f59e09bc0755bbf48d48fb0a21295ca/server/src/main/java/com/cloud/storage/StorageManagerImpl.java#L2472] and https://github.com/apache/cloudstack/blob/bd38f0647f59e09bc0755bbf48d48fb0a21295ca/server/src/main/java/com/cloud/storage/StorageManagerImpl.java#L2260 -- This message was sent by Atlassian Jira (v8.3.4#803005)
