https://bz.apache.org/bugzilla/show_bug.cgi?id=61114
Bug ID: 61114
Summary: startup.VersionLoggerListener may leak sensitive
information
Product: Tomcat 8
Version: 8.0.28
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: juergen.herm...@1und1.de
Target Milestone: ----
Related to https://bz.apache.org/bugzilla/show_bug.cgi?id=56401
When passwords or similar are part of the JVM command line, they end up in logs
that might be shipped to locations where you don't want that information to end
up in. At least well-known cases should be handled
(-Djavax.net.ssl.trustStorePassword=...).
Possible remedies:
* Provide an option to not log command line args (but the other information).
* Handle well-known cases via a blacklist of substrings / regex that prevent
logging ("javax.net.ssl.trustStorePassword", or "password" and "secret" in
general).
Or course, removing the listener also works, but at the price of removing *all*
of its logging.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
