You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "C. Scott Andreas (JIRA)" <ji...@apache.org> on 2019/02/16 21:15:00 UTC
[jira] [Commented] (CASSANDRA-13763) Trivial but potential security
issue?
[ https://issues.apache.org/jira/browse/CASSANDRA-13763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16770229#comment-16770229 ]
C. Scott Andreas commented on CASSANDRA-13763:
----------------------------------------------
Thanks for reaching out, and sorry for the delay in reply to your question.
This code is part of the cassandra-stress tool, a benchmarking harness that is typically usedĀ for load testing purposes only, and in this case would print the password supplied by the user at the beginning of thatĀ test to document the run. I don't think a substantial issue exists here.
Thanks again for the report.
> Trivial but potential security issue?
> --------------------------------------
>
> Key: CASSANDRA-13763
> URL: https://issues.apache.org/jira/browse/CASSANDRA-13763
> Project: Cassandra
> Issue Type: Bug
> Components: Legacy/Tools
> Reporter: JC
> Priority: Trivial
>
> Hi
> In a recent github mirror, I've found the following line.
> Path: tools/stress/src/org/apache/cassandra/stress/settings/SettingsMode.java
> {code:java}
> 177 out.printf(" Password: %s%n", (password==null?password:"*suppressed *"));
> {code}
> As the original password is intended to be masked as "*suppressed *", I was wondering if showing "null" when the password is null is safe. This might not be an issue but I wanted to report just in case. Thanks!
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org