Patrick Gell created QPIDJMS-588:
------------------------------------
Summary: Disclosure of broker password in log file
Key: QPIDJMS-588
URL: https://issues.apache.org/jira/browse/QPIDJMS-588
Project: Qpid JMS
Issue Type: Bug
Components: qpid-jms-client
Affects Versions: 2.2.0
Environment: We are currently using Apache Qpid 2.2.0
Reporter: Patrick Gell
If I have a failover URL with `user:password` configured than the password is
logged in plain text.
{+}BrokerURL{+}:
failover:(amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672)
+Log extract:+
2023-05-15 13:04:42.484 INFO [localhost:5672]]
org.apache.qpid.jms.JmsConnection : Connection
ID:83323730-746c-4430-988f-e9e5f699dc1c:1 connected to server:
amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672
Expected behaviour:
The password is masked in the log or an IllegalArgumentException is thrown
similar to the non failover URL:
amqp://{*}myactivemquser:my-secure-password{*}@localhost:5672 results in a
...
Caused by: java.lang.IllegalArgumentException: The supplied URI cannot contain
a User-Info section
at
org.apache.qpid.jms.JmsConnectionFactory.setRemoteURI(JmsConnectionFactory.java:406)
at
org.amqphub.spring.boot.jms.autoconfigure.AMQP10JMSConnectionFactoryFactory.createConnectionFactory(AMQP10JMSConnectionFactoryFactory.java:66)
... 69 common frames omitted
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
