[jira] [Comment Edited] (CASSANDRA-13763) Trivial but potential security issue?

Sat, 16 Feb 2019 13:24:31 -0800 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-13763?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16770229#comment-16770229
 ] 

C. Scott Andreas edited comment on CASSANDRA-13763 at 2/16/19 9:15 PM:
-----------------------------------------------------------------------

Thanks for reaching out, and sorry for the delay in reply to your question.

This code is part of the cassandra-stress tool, a benchmarking harness that is 
typically used for load testing purposes only, and in this case would print 
`null` indicating that no password was supplied by the user at the start of the 
run. I don't think a substantial issue exists here.

Thanks again for the report.


was (Author: cscotta):
Thanks for reaching out, and sorry for the delay in reply to your question.

This code is part of the cassandra-stress tool, a benchmarking harness that is 
typically used for load testing purposes only, and in this case would print the 
password supplied by the user at the beginning of that test to document the 
run. I don't think a substantial issue exists here.

Thanks again for the report.

> Trivial but potential security issue? 
> --------------------------------------
>
>                 Key: CASSANDRA-13763
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-13763
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Legacy/Tools
>            Reporter: JC
>            Priority: Trivial
>
> Hi
> In a recent github mirror, I've found the following line.
> Path: tools/stress/src/org/apache/cassandra/stress/settings/SettingsMode.java
> {code:java}
> 177         out.printf("  Password: %s%n", 
> (password==null?password:"*suppressed    *"));
> {code}
> As the original password is intended to be masked as "*suppressed   *", I was 
> wondering if showing "null" when the password is null is safe. This might not 
> be an issue but I wanted to report just in case. Thanks!



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to