You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by "Mike Wallace (JIRA)" <ji...@apache.org> on 2016/02/10 15:47:18 UTC

[jira] [Created] (COUCHDB-2949) Replications which fail to start dump creds into the logs

Mike Wallace created COUCHDB-2949:
-------------------------------------

             Summary: Replications which fail to start dump creds into the logs
                 Key: COUCHDB-2949
                 URL: https://issues.apache.org/jira/browse/COUCHDB-2949
             Project: CouchDB
          Issue Type: Bug
          Components: Replication
            Reporter: Mike Wallace


If a replication fails to start then the `#rep` record is logged [1]. This can contain credentials in either the source or target `#httpdb` records, either in urls or the authorization header.

This can be reproduced by posting a replication document which specifies a replication from a database that doesn't exist and following the logs, e.g.: https://gist.github.com/mikewallace1979/757a48bce6b84fbf080c

Note that the creds are exposed both when they are in the source/target url or in the `Authorization` header.

[1] https://github.com/apache/couchdb-couch-replicator/blob/master/src/couch_replicator.erl#L519-L520



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)