You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Patrick Gell (Jira)" <ji...@apache.org> on 2023/05/15 12:36:00 UTC
[jira] [Created] (QPIDJMS-588) Disclosure of broker password in log file
Patrick Gell created QPIDJMS-588:
------------------------------------
Summary: Disclosure of broker password in log file
Key: QPIDJMS-588
URL: https://issues.apache.org/jira/browse/QPIDJMS-588
Project: Qpid JMS
Issue Type: Bug
Components: qpid-jms-client
Affects Versions: 2.2.0
Environment: We are currently using Apache Qpid 2.2.0
Reporter: Patrick Gell
If I have a failover URL with `user:password` configured than the password is logged in plain text.
{+}BrokerURL{+}: failover:(amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672)
+Log extract:+
2023-05-15 13:04:42.484 INFO [localhost:5672]] org.apache.qpid.jms.JmsConnection : Connection ID:83323730-746c-4430-988f-e9e5f699dc1c:1 connected to server: amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672
Expected behaviour:
The password is masked in the log or an IllegalArgumentException is thrown similar to the non failover URL:
amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672 results in a
...
Caused by: java.lang.IllegalArgumentException: The supplied URI cannot contain a User-Info section
at org.apache.qpid.jms.JmsConnectionFactory.setRemoteURI(JmsConnectionFactory.java:406)
at org.amqphub.spring.boot.jms.autoconfigure.AMQP10JMSConnectionFactoryFactory.createConnectionFactory(AMQP10JMSConnectionFactoryFactory.java:66)
... 69 common frames omitted
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org