Continuum

Passwords are exposed in continuum.log

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Critical Critical
  • Resolution: Fixed
  • Affects Version/s: 1.2
  • Fix Version/s: 1.2.1
  • Component/s: None
  • Labels:
    None
  • Environment:
    Continuum 1.3-SNAPSHOT r700970
    Mac OS X
  • Complexity:
    Intermediate
  • Number of attachments :
    0

Description

When adding a m2 project using a url to the pom file, I see this in the log:

2008-10-01 16:58:03,541 [addMavenTwoProjectBackgroundThread] INFO continuumProjectBuilder#maven-two-builder - Downloading https://wsmoak:PASSWORD@example.com/svn/wsmoak/hello/trunk/pom.xml

(where PASSWORD was my actual password.)

Passwords should be masked in the log files.

Issue Links

Activity

Hide
Wendy Smoak added a comment -

Work on the CONTINUUM-1721 branch seems headed towards changing method signatures so we pass around the url separately from the userid and password.

I haven't looked to see where this is coming from exactly, but if that happens, we can probably log the url without the credentials.

Meanwhile, we need to change or comment out this log statement.

Show
Wendy Smoak added a comment - Work on the CONTINUUM-1721 branch seems headed towards changing method signatures so we pass around the url separately from the userid and password. I haven't looked to see where this is coming from exactly, but if that happens, we can probably log the url without the credentials. Meanwhile, we need to change or comment out this log statement.
Hide
Emmanuel Venisse added a comment -

Fixed in r.702698

Show
Emmanuel Venisse added a comment - Fixed in r.702698

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved: