You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@geode.apache.org by "Patrick Rhomberg (JIRA)" <ji...@apache.org> on 2017/08/16 22:33:00 UTC
[jira] [Created] (GEODE-3452) gfsh does not redact passwords from
history until the session is closed
Patrick Rhomberg created GEODE-3452:
---------------------------------------
Summary: gfsh does not redact passwords from history until the session is closed
Key: GEODE-3452
URL: https://issues.apache.org/jira/browse/GEODE-3452
Project: Geode
Issue Type: Bug
Components: gfsh, logging, security
Reporter: Patrick Rhomberg
The `ArgumentRedactor` does not act on `gfsh` history until it is written to file when the `gfsh` session is closed. As a result, non-redacted passwords may be exposed in the `history` command as well as the Ctrl-R reverse-i-search until the session is closed.
Because the redactor's behavior is simple, you can reproduce this with a simple `echo` command.
{noformat}
gfsh> echo "example case --exposed-option=123 --password=456"
example case --exposed-option 123 --password=456
gfsh> history
[...]
491 490: echo "example case --exposed-option=123 --password=456"
492 491: history
gfsh> exit
Exiting...
[Restart gfsh]
gfsh> history
480 479: echo "example case --exposed-option=123 --password=*****
481 480: history
482 481: exit
483 482: history
{noformat}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)