You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@couchdb.apache.org by "Mike Wallace (JIRA)" <ji...@apache.org> on 2016/02/15 22:09:18 UTC

[jira] [Created] (COUCHDB-2952) Teach couch_replicator to use credentials securely

Mike Wallace created COUCHDB-2952:
-------------------------------------

             Summary: Teach couch_replicator to use credentials securely
                 Key: COUCHDB-2952
                 URL: https://issues.apache.org/jira/browse/COUCHDB-2952
             Project: CouchDB
          Issue Type: Bug
          Components: Replication
            Reporter: Mike Wallace


The replicator currently stores credentials needed for replication in the gen_server state, either in the source/target URLs or the authorization header. This means it is possible for these credentials to get dumped out to the log file in plain text when couch_replicator terminates.

The most frequent (as observed so far) case of this was resolved over in COUCHDB-2949 [1] however it is still possible for the gen_server state to end up in the logs (e.g., it can end up in the Reason argument if a message is received that doesn't match any existing callbacks).

We should therefore store the credentials somewhere other than the state - perhaps an ets table or maybe the process dictionary.

[1] https://issues.apache.org/jira/browse/COUCHDB-2949 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)