You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by mikewallace1979 <gi...@git.apache.org> on 2016/02/10 16:13:31 UTC

[GitHub] couchdb-couch-replicator pull request: Avoid logging creds on couc...

GitHub user mikewallace1979 opened a pull request:

    https://github.com/apache/couchdb-couch-replicator/pull/25

    Avoid logging creds on couch_replicator termination

    When couch_replicator terminates with an error we log the #rep
    record which can contain credentials for the source or target
    of a replication, either in the url directly or in an Authorization
    header.
    
    This commit adds a function to strip credentials from the #httpdb
    records in the #rep record and replace them with ****.
    
    Specifically this concerns the url and headers fields of the
     #rep.source and #rep.target #httpdb records.
    
    Closes COUCHDB-2949

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/mikewallace1979/couchdb-couch-replicator 2949-avoid-logging-creds-on-couch_replicator-termination

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/couchdb-couch-replicator/pull/25.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #25
    
----
commit b6913a16eb67057d79b7b373d31fd95d015f7f18
Author: Mike Wallace <mi...@apache.org>
Date:   2016-02-10T14:59:50Z

    Avoid logging creds on couch_replicator termination
    
    When couch_replicator terminates with an error we log the #rep
    record which can contain credentials for the source or target
    of a replication, either in the url directly or in an Authorization
    header.
    
    This commit adds a function to strip credentials from the #httpdb
    records in the #rep record and replace them with ****.
    
    Specifically this concerns the url and headers fields of the
     #rep.source and #rep.target #httpdb records.
    
    Closes COUCHDB-2949

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] couchdb-couch-replicator pull request: Avoid logging creds on couc...

Posted by mikewallace1979 <gi...@git.apache.org>.

Github user mikewallace1979 commented on the pull request:

    https://github.com/apache/couchdb-couch-replicator/pull/25#issuecomment-182473117
  
    > Wouldn't credentials leak here as well?
    
    I *think* we're ok here because `source_name` and `target_name` in the `#rep_state` record have come from [`couch_replicator_api_wrap:db_uri/1`](https://github.com/apache/couchdb-couch-replicator/blob/master/src/couch_replicator.erl#L616-L617) which will either [extract just the dbname](https://github.com/apache/couchdb-couch-replicator/blob/master/src/couch_replicator_api_wrap.erl#L62-L63) or call [`couch_util:url_strip_password/1`](https://github.com/apache/couchdb-couch-replicator/blob/master/src/couch_replicator_api_wrap.erl#L59-L60).


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] couchdb-couch-replicator pull request: Avoid logging creds on couc...

Posted by kxepal <gi...@git.apache.org>.

Github user kxepal commented on the pull request:

    https://github.com/apache/couchdb-couch-replicator/pull/25#issuecomment-182517985
  
    Ah, good then!


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] couchdb-couch-replicator pull request: Avoid logging creds on couc...

Posted by rnewson <gi...@git.apache.org>.

Github user rnewson commented on the pull request:

    https://github.com/apache/couchdb-couch-replicator/pull/25#issuecomment-182912415
  
    +1


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] couchdb-couch-replicator pull request: Avoid logging creds on couc...

Posted by kxepal <gi...@git.apache.org>.

Github user kxepal commented on the pull request:

    https://github.com/apache/couchdb-couch-replicator/pull/25#issuecomment-182836080
  
    LGFM, but don't have a chance to test this.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] couchdb-couch-replicator pull request: Avoid logging creds on couc...

Posted by iilyak <gi...@git.apache.org>.

Github user iilyak commented on the pull request:

    https://github.com/apache/couchdb-couch-replicator/pull/25#issuecomment-182916277
  
    Could you implement [format_status](http://erlang.org/doc/man/gen_server.html#Module:format_status-2) as well? In order to prevent leakage from a stack trace.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] couchdb-couch-replicator pull request: Avoid logging creds on couc...

Posted by asfgit <gi...@git.apache.org>.

Github user asfgit closed the pull request at:

    https://github.com/apache/couchdb-couch-replicator/pull/25


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] couchdb-couch-replicator pull request: Avoid logging creds on couc...

Posted by kxepal <gi...@git.apache.org>.

Github user kxepal commented on the pull request:

    https://github.com/apache/couchdb-couch-replicator/pull/25#issuecomment-182460085
  
    Wouldn't credentials leak [here](https://github.com/apache/couchdb-couch-replicator/pull/25/files#diff-ba1cca81bdc216835256f72cc6a72fa5R560) as well?


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---