You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@continuum.apache.org by "Wendy Smoak (JIRA)" <ji...@codehaus.org> on 2009/05/22 16:56:42 UTC
[jira] Created: (CONTINUUM-2240) Passwords are exposed in request
log
Passwords are exposed in request log
------------------------------------
Key: CONTINUUM-2240
URL: http://jira.codehaus.org/browse/CONTINUUM-2240
Project: Continuum
Issue Type: Bug
Affects Versions: 1.3.3
Environment: 1.3.3-SNAPSHOT r777534
Reporter: Wendy Smoak
Subversion passwords are exposed in plain text in the request log when adding a project, for example:
2009_05_22.request.log:0:0:0:0:0:0:0:1%0 - - [22/May/2009:14:45:32 +0000] "GET /continuum/addMavenTwoProject.action?scmUsername=wsmoak&__checkbox_scmUseCache=true&__checkbox_nonRecursiveProject=true&buildDefinitionTemplateId=-1&m2PomUrl=http%3A%2F%2Fsvn.apache.org%2Frepos%2Fasf%2Fcontinuum%2Fsandbox%2Fsimple-example%2Fpom.xml&scmPassword=mypassw0rd&selectedProjectGroup=-1 HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.10) Gecko/2009042315 Firefox/3.0.10"
I assume this is a Jetty log file that we can't do anything about. If so, we need to document how to turn off this logging, or perhaps leave it off by default and document how to turn it on if needed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Reopened: (CONTINUUM-2240) Passwords are exposed in request
log
Posted by "Maria Catherine Tan (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-2240?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Maria Catherine Tan reopened CONTINUUM-2240:
--------------------------------------------
> Passwords are exposed in request log
> ------------------------------------
>
> Key: CONTINUUM-2240
> URL: http://jira.codehaus.org/browse/CONTINUUM-2240
> Project: Continuum
> Issue Type: Bug
> Affects Versions: 1.3.3
> Environment: 1.3.3-SNAPSHOT r777534
> Reporter: Wendy Smoak
> Assignee: Maria Catherine Tan
> Fix For: 1.3.4
>
>
> Subversion passwords are exposed in plain text in the request log when adding a project, for example:
> 2009_05_22.request.log:0:0:0:0:0:0:0:1%0 - - [22/May/2009:14:45:32 +0000] "GET /continuum/addMavenTwoProject.action?scmUsername=wsmoak&__checkbox_scmUseCache=true&__checkbox_nonRecursiveProject=true&buildDefinitionTemplateId=-1&m2PomUrl=http%3A%2F%2Fsvn.apache.org%2Frepos%2Fasf%2Fcontinuum%2Fsandbox%2Fsimple-example%2Fpom.xml&scmPassword=mypassw0rd&selectedProjectGroup=-1 HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.10) Gecko/2009042315 Firefox/3.0.10"
> I assume this is a Jetty log file that we can't do anything about. If so, we need to document how to turn off this logging, or perhaps leave it off by default and document how to turn it on if needed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (CONTINUUM-2240) Passwords are exposed in request
log
Posted by "Maria Catherine Tan (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-2240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=186759#action_186759 ]
Maria Catherine Tan commented on CONTINUUM-2240:
------------------------------------------------
Changes made in r800620 causes this warning:
WARN org.apache.struts2.components.URL - Unknown value for includeParams parameter to URL tag: false
> Passwords are exposed in request log
> ------------------------------------
>
> Key: CONTINUUM-2240
> URL: http://jira.codehaus.org/browse/CONTINUUM-2240
> Project: Continuum
> Issue Type: Bug
> Affects Versions: 1.3.3
> Environment: 1.3.3-SNAPSHOT r777534
> Reporter: Wendy Smoak
> Assignee: Maria Catherine Tan
> Fix For: 1.3.4
>
>
> Subversion passwords are exposed in plain text in the request log when adding a project, for example:
> 2009_05_22.request.log:0:0:0:0:0:0:0:1%0 - - [22/May/2009:14:45:32 +0000] "GET /continuum/addMavenTwoProject.action?scmUsername=wsmoak&__checkbox_scmUseCache=true&__checkbox_nonRecursiveProject=true&buildDefinitionTemplateId=-1&m2PomUrl=http%3A%2F%2Fsvn.apache.org%2Frepos%2Fasf%2Fcontinuum%2Fsandbox%2Fsimple-example%2Fpom.xml&scmPassword=mypassw0rd&selectedProjectGroup=-1 HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.10) Gecko/2009042315 Firefox/3.0.10"
> I assume this is a Jetty log file that we can't do anything about. If so, we need to document how to turn off this logging, or perhaps leave it off by default and document how to turn it on if needed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (CONTINUUM-2240) Passwords are exposed in request
log
Posted by "Maria Catherine Tan (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-2240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=184774#action_184774 ]
Maria Catherine Tan commented on CONTINUUM-2240:
------------------------------------------------
It also shows up in the browser's url field while refreshing the page when adding a project.
> Passwords are exposed in request log
> ------------------------------------
>
> Key: CONTINUUM-2240
> URL: http://jira.codehaus.org/browse/CONTINUUM-2240
> Project: Continuum
> Issue Type: Bug
> Affects Versions: 1.3.3
> Environment: 1.3.3-SNAPSHOT r777534
> Reporter: Wendy Smoak
>
> Subversion passwords are exposed in plain text in the request log when adding a project, for example:
> 2009_05_22.request.log:0:0:0:0:0:0:0:1%0 - - [22/May/2009:14:45:32 +0000] "GET /continuum/addMavenTwoProject.action?scmUsername=wsmoak&__checkbox_scmUseCache=true&__checkbox_nonRecursiveProject=true&buildDefinitionTemplateId=-1&m2PomUrl=http%3A%2F%2Fsvn.apache.org%2Frepos%2Fasf%2Fcontinuum%2Fsandbox%2Fsimple-example%2Fpom.xml&scmPassword=mypassw0rd&selectedProjectGroup=-1 HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.10) Gecko/2009042315 Firefox/3.0.10"
> I assume this is a Jetty log file that we can't do anything about. If so, we need to document how to turn off this logging, or perhaps leave it off by default and document how to turn it on if needed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Assigned: (CONTINUUM-2240) Passwords are exposed in request
log
Posted by "Maria Catherine Tan (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-2240?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Maria Catherine Tan reassigned CONTINUUM-2240:
----------------------------------------------
Assignee: Maria Catherine Tan
> Passwords are exposed in request log
> ------------------------------------
>
> Key: CONTINUUM-2240
> URL: http://jira.codehaus.org/browse/CONTINUUM-2240
> Project: Continuum
> Issue Type: Bug
> Affects Versions: 1.3.3
> Environment: 1.3.3-SNAPSHOT r777534
> Reporter: Wendy Smoak
> Assignee: Maria Catherine Tan
>
> Subversion passwords are exposed in plain text in the request log when adding a project, for example:
> 2009_05_22.request.log:0:0:0:0:0:0:0:1%0 - - [22/May/2009:14:45:32 +0000] "GET /continuum/addMavenTwoProject.action?scmUsername=wsmoak&__checkbox_scmUseCache=true&__checkbox_nonRecursiveProject=true&buildDefinitionTemplateId=-1&m2PomUrl=http%3A%2F%2Fsvn.apache.org%2Frepos%2Fasf%2Fcontinuum%2Fsandbox%2Fsimple-example%2Fpom.xml&scmPassword=mypassw0rd&selectedProjectGroup=-1 HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.10) Gecko/2009042315 Firefox/3.0.10"
> I assume this is a Jetty log file that we can't do anything about. If so, we need to document how to turn off this logging, or perhaps leave it off by default and document how to turn it on if needed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (CONTINUUM-2240) Passwords are exposed in request
log
Posted by "Maria Catherine Tan (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-2240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=184944#action_184944 ]
Maria Catherine Tan commented on CONTINUUM-2240:
------------------------------------------------
setting the includeParams to false fixes this.
<META HTTP-EQUIV="refresh" CONTENT="2;url=<s:url includeParams="false"/>"/>
Does anyone have any objection with this change? If not i'll commit this :)
> Passwords are exposed in request log
> ------------------------------------
>
> Key: CONTINUUM-2240
> URL: http://jira.codehaus.org/browse/CONTINUUM-2240
> Project: Continuum
> Issue Type: Bug
> Affects Versions: 1.3.3
> Environment: 1.3.3-SNAPSHOT r777534
> Reporter: Wendy Smoak
>
> Subversion passwords are exposed in plain text in the request log when adding a project, for example:
> 2009_05_22.request.log:0:0:0:0:0:0:0:1%0 - - [22/May/2009:14:45:32 +0000] "GET /continuum/addMavenTwoProject.action?scmUsername=wsmoak&__checkbox_scmUseCache=true&__checkbox_nonRecursiveProject=true&buildDefinitionTemplateId=-1&m2PomUrl=http%3A%2F%2Fsvn.apache.org%2Frepos%2Fasf%2Fcontinuum%2Fsandbox%2Fsimple-example%2Fpom.xml&scmPassword=mypassw0rd&selectedProjectGroup=-1 HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.10) Gecko/2009042315 Firefox/3.0.10"
> I assume this is a Jetty log file that we can't do anything about. If so, we need to document how to turn off this logging, or perhaps leave it off by default and document how to turn it on if needed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Closed: (CONTINUUM-2240) Passwords are exposed in request
log
Posted by "Maria Catherine Tan (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-2240?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Maria Catherine Tan closed CONTINUUM-2240.
------------------------------------------
Resolution: Fixed
Fix Version/s: 1.3.4
Fixed in
r800620 of 1.3.x branch
r800622 of trunk
> Passwords are exposed in request log
> ------------------------------------
>
> Key: CONTINUUM-2240
> URL: http://jira.codehaus.org/browse/CONTINUUM-2240
> Project: Continuum
> Issue Type: Bug
> Affects Versions: 1.3.3
> Environment: 1.3.3-SNAPSHOT r777534
> Reporter: Wendy Smoak
> Assignee: Maria Catherine Tan
> Fix For: 1.3.4
>
>
> Subversion passwords are exposed in plain text in the request log when adding a project, for example:
> 2009_05_22.request.log:0:0:0:0:0:0:0:1%0 - - [22/May/2009:14:45:32 +0000] "GET /continuum/addMavenTwoProject.action?scmUsername=wsmoak&__checkbox_scmUseCache=true&__checkbox_nonRecursiveProject=true&buildDefinitionTemplateId=-1&m2PomUrl=http%3A%2F%2Fsvn.apache.org%2Frepos%2Fasf%2Fcontinuum%2Fsandbox%2Fsimple-example%2Fpom.xml&scmPassword=mypassw0rd&selectedProjectGroup=-1 HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.10) Gecko/2009042315 Firefox/3.0.10"
> I assume this is a Jetty log file that we can't do anything about. If so, we need to document how to turn off this logging, or perhaps leave it off by default and document how to turn it on if needed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Closed: (CONTINUUM-2240) Passwords are exposed in request
log
Posted by "Maria Catherine Tan (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/CONTINUUM-2240?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Maria Catherine Tan closed CONTINUUM-2240.
------------------------------------------
Resolution: Fixed
set includeParams to none
r803352 of 1.3.x branch
r803353 of trunk
> Passwords are exposed in request log
> ------------------------------------
>
> Key: CONTINUUM-2240
> URL: http://jira.codehaus.org/browse/CONTINUUM-2240
> Project: Continuum
> Issue Type: Bug
> Affects Versions: 1.3.3
> Environment: 1.3.3-SNAPSHOT r777534
> Reporter: Wendy Smoak
> Assignee: Maria Catherine Tan
> Fix For: 1.3.4
>
>
> Subversion passwords are exposed in plain text in the request log when adding a project, for example:
> 2009_05_22.request.log:0:0:0:0:0:0:0:1%0 - - [22/May/2009:14:45:32 +0000] "GET /continuum/addMavenTwoProject.action?scmUsername=wsmoak&__checkbox_scmUseCache=true&__checkbox_nonRecursiveProject=true&buildDefinitionTemplateId=-1&m2PomUrl=http%3A%2F%2Fsvn.apache.org%2Frepos%2Fasf%2Fcontinuum%2Fsandbox%2Fsimple-example%2Fpom.xml&scmPassword=mypassw0rd&selectedProjectGroup=-1 HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.10) Gecko/2009042315 Firefox/3.0.10"
> I assume this is a Jetty log file that we can't do anything about. If so, we need to document how to turn off this logging, or perhaps leave it off by default and document how to turn it on if needed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira