Continuum

Passwords are exposed in request log

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 1.3.3 (Beta)
  • Fix Version/s: 1.3.4 (Beta)
  • Component/s: None
  • Labels:
    None
  • Environment:
    1.3.3-SNAPSHOT r777534
  • Complexity:
    Intermediate
  • Number of attachments :
    0

Description

Subversion passwords are exposed in plain text in the request log when adding a project, for example:

2009_05_22.request.log:0:0:0:0:0:0:0:1%0 - - [22/May/2009:14:45:32 +0000] "GET /continuum/addMavenTwoProject.action?scmUsername=wsmoak&_checkbox_scmUseCache=true&_checkbox_nonRecursiveProject=true&buildDefinitionTemplateId=1&m2PomUrl=http%3A%2F%2Fsvn.apache.org%2Frepos%2Fasf%2Fcontinuum%2Fsandbox%2Fsimple-example%2Fpom.xml&scmPassword=mypassw0rd&selectedProjectGroup=-1 HTTP/1.1" 302 0 "" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.10) Gecko/2009042315 Firefox/3.0.10"

I assume this is a Jetty log file that we can't do anything about. If so, we need to document how to turn off this logging, or perhaps leave it off by default and document how to turn it on if needed.

Activity

Hide
Maria Catherine Tan added a comment -

It also shows up in the browser's url field while refreshing the page when adding a project.

Show
Maria Catherine Tan added a comment - It also shows up in the browser's url field while refreshing the page when adding a project.
Hide
Maria Catherine Tan added a comment -

setting the includeParams to false fixes this.

<META HTTP-EQUIV="refresh" CONTENT="2;url=<s:url includeParams="false"/>"/>

Does anyone have any objection with this change? If not i'll commit this

Show
Maria Catherine Tan added a comment - setting the includeParams to false fixes this. <META HTTP-EQUIV="refresh" CONTENT="2;url=<s:url includeParams="false"/>"/> Does anyone have any objection with this change? If not i'll commit this
Hide
Maria Catherine Tan added a comment -

Fixed in
r800620 of 1.3.x branch
r800622 of trunk

Show
Maria Catherine Tan added a comment - Fixed in r800620 of 1.3.x branch r800622 of trunk
Hide
Maria Catherine Tan added a comment -

Changes made in r800620 causes this warning:

WARN org.apache.struts2.components.URL - Unknown value for includeParams parameter to URL tag: false

Show
Maria Catherine Tan added a comment - Changes made in r800620 causes this warning: WARN org.apache.struts2.components.URL - Unknown value for includeParams parameter to URL tag: false
Hide
Maria Catherine Tan added a comment -

set includeParams to none

r803352 of 1.3.x branch
r803353 of trunk

Show
Maria Catherine Tan added a comment - set includeParams to none r803352 of 1.3.x branch r803353 of trunk

People

Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: