subject:"\[Bug 61114\] startup.VersionLoggerListener may leak sensitive information"

[Bug 61114] startup.VersionLoggerListener may leak sensitive information

2017-05-23 Thread bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=61114

--- Comment #2 from jhermann  ---
Sorry, should've thought of checking the docs before-hand. Thanks for the
hints, those helped.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 61114] startup.VersionLoggerListener may leak sensitive information

2017-05-22 Thread bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=61114

Konstantin Kolinko  changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |WONTFIX

--- Comment #1 from Konstantin Kolinko  ---
1. The option already exists. Looking at the oldest version supported now
(7.0.x), it is named "logArgs", in all newer versions as well.

http://tomcat.apache.org/tomcat-7.0-doc/config/listeners.html


2. Passing secrets via command line arguments is well-known bad idea / SNAFU,
because they are visible to other local users that can run "ps" command or read
"/proc//cmdline".

A better idea will be to put them into conf/catalina.properties

Also see the FAQ
https://wiki.apache.org/tomcat/FAQ/Password

Note that system properties are not logged by default configuration of
VersionLoggerListener (configured by the "logProps" attribute).


3. Command line arguments provide important information for troubleshooting.

JVM options, memory size configuration, logging configuration.


4. Logs are well known to contain sensitive information (e.g. they may contain
session ids) and shall be protected from world-wide access.


I do not see what can be improved here. Closing as WONTFIX.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 61114] startup.VersionLoggerListener may leak sensitive information

2017-05-22 Thread bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=61114

Michael Osipov <1983-01...@gmx.net> changed:

   What|Removed |Added

 CC||1983-01...@gmx.net

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 61114] startup.VersionLoggerListener may leak sensitive information

[Bug 61114] startup.VersionLoggerListener may leak sensitive information

[Bug 61114] startup.VersionLoggerListener may leak sensitive information

3 matches

Site Navigation

Mail list logo

Footer information