Details
-
Type:
Bug
-
Status:
Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 1.3.3 (Beta)
-
Fix Version/s: 1.3.4 (Beta)
-
Component/s: None
-
Labels:None
-
Environment:1.3.3-SNAPSHOT r777534
-
Complexity:Intermediate
-
Number of attachments :
Description
Subversion passwords are exposed in plain text in the request log when adding a project, for example:
2009_05_22.request.log:0:0:0:0:0:0:0:1%0 - - [22/May/2009:14:45:32 +0000] "GET /continuum/addMavenTwoProject.action?scmUsername=wsmoak&_checkbox_scmUseCache=true&_checkbox_nonRecursiveProject=true&buildDefinitionTemplateId=1&m2PomUrl=http%3A%2F%2Fsvn.apache.org%2Frepos%2Fasf%2Fcontinuum%2Fsandbox%2Fsimple-example%2Fpom.xml&scmPassword=mypassw0rd&selectedProjectGroup=-1 HTTP/1.1" 302 0 "" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.10) Gecko/2009042315 Firefox/3.0.10"
I assume this is a Jetty log file that we can't do anything about. If so, we need to document how to turn off this logging, or perhaps leave it off by default and document how to turn it on if needed.
Activity
setting the includeParams to false fixes this.
<META HTTP-EQUIV="refresh" CONTENT="2;url=<s:url includeParams="false"/>"/>
Does anyone have any objection with this change? If not i'll commit this 
It also shows up in the browser's url field while refreshing the page when adding a project.