You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@continuum.apache.org by "Maria Catherine Tan (JIRA)" <ji...@codehaus.org> on 2009/08/12 04:28:59 UTC

[jira] Reopened: (CONTINUUM-2240) Passwords are exposed in request log

     [ http://jira.codehaus.org/browse/CONTINUUM-2240?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Maria Catherine Tan reopened CONTINUUM-2240:
--------------------------------------------


> Passwords are exposed in request log
> ------------------------------------
>
>                 Key: CONTINUUM-2240
>                 URL: http://jira.codehaus.org/browse/CONTINUUM-2240
>             Project: Continuum
>          Issue Type: Bug
>    Affects Versions: 1.3.3
>         Environment: 1.3.3-SNAPSHOT r777534
>            Reporter: Wendy Smoak
>            Assignee: Maria Catherine Tan
>             Fix For: 1.3.4
>
>
> Subversion passwords are exposed in plain text in the request log when adding a project, for example:
> 2009_05_22.request.log:0:0:0:0:0:0:0:1%0 -  -  [22/May/2009:14:45:32 +0000] "GET /continuum/addMavenTwoProject.action?scmUsername=wsmoak&__checkbox_scmUseCache=true&__checkbox_nonRecursiveProject=true&buildDefinitionTemplateId=-1&m2PomUrl=http%3A%2F%2Fsvn.apache.org%2Frepos%2Fasf%2Fcontinuum%2Fsandbox%2Fsimple-example%2Fpom.xml&scmPassword=mypassw0rd&selectedProjectGroup=-1 HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.10) Gecko/2009042315 Firefox/3.0.10"
> I assume this is a Jetty log file that we can't do anything about.  If so, we need to document how to turn off this logging, or perhaps leave it off by default and document how to turn it on if needed.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira