Passwords are exposed in continuum.log

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 1.2
Fix Version/s: 1.2.1
Component/s: None
Labels:
None
Environment:
Continuum 1.3-SNAPSHOT r700970
Mac OS X

Complexity:
Intermediate
Number of attachments :
0

Description

When adding a m2 project using a url to the pom file, I see this in the log:

2008-10-01 16:58:03,541 [addMavenTwoProjectBackgroundThread] INFO continuumProjectBuilder#maven-two-builder - Downloading https://wsmoak:PASSWORD@example.com/svn/wsmoak/hello/trunk/pom.xml

(where PASSWORD was my actual password.)

Passwords should be masked in the log files.

Issue Links

is depended upon by

CONTINUUM-2200 Logs should not display scm credentials when adding projects

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Wendy Smoak added a comment - 01/Oct/08 7:26 PM

Work on the CONTINUUM-1721 branch seems headed towards changing method signatures so we pass around the url separately from the userid and password.

I haven't looked to see where this is coming from exactly, but if that happens, we can probably log the url without the credentials.

Meanwhile, we need to change or comment out this log statement.

Show

Wendy Smoak added a comment - 01/Oct/08 7:26 PM Work on the CONTINUUM-1721 branch seems headed towards changing method signatures so we pass around the url separately from the userid and password. I haven't looked to see where this is coming from exactly, but if that happens, we can probably log the url without the credentials. Meanwhile, we need to change or comment out this log statement.

Hide

Permalink

Emmanuel Venisse added a comment - 08/Oct/08 12:05 AM

Fixed in r.702698

Show

Emmanuel Venisse added a comment - 08/Oct/08 12:05 AM Fixed in r.702698

People

Assignee:

Emmanuel Venisse

Reporter:

Wendy Smoak

Vote (0)

Watch (0)

Dates

Created:

01/Oct/08 7:03 PM

Updated:

27/Apr/09 9:41 AM

Resolved:

08/Oct/08 12:05 AM