[jira] [Updated] (COUCHDB-2364) plaintext admin password remains visible if there are two [admin] sections

[Javier Candeira (JIRA)]

     [ 
https://issues.apache.org/jira/browse/COUCHDB-2364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Javier Candeira updated COUCHDB-2364:
-------------------------------------
    Description: 
How to reproduce:

1.
Make a local.ini document with two [admin] sections, and the user = password 
line in the second one, as the dev/run script did as of github commit 
d3094366b6775e7a54:

```
[admins]
;admin = mysecretpassword

[admins]
candeira = candeira
```
2.
CouchDB process will not replace the plaintext password, but merely edit in the 
hashed password under the first [admin] section, and leave the second one 
unchanged:

```
[admins]
;admin = mysecretpassword
candeira = 
-pbkdf2-a64e124a06c9c287d5b6ce260cd9c3da4049fe2d,28ea667261c84a53a5f1d92e83f2976d,10

[admins]
candeira = candeira
```

  was:
How to reproduce:

1.
Make a local.ini document with two [admin] sections, and the user = password 
line in the second one, as the dev/run script did as of github commit 
d3094366b6775e7a54:

    [admin]
    ; maybe a comment here

    [admin]
    candeira = candeira

2.
CouchDB process will not replace the plaintext password, but merely edit in the 
hashed password under the first [admin] section, and leave the second one 
unchanged:


> plaintext admin password remains visible if there are two [admin] sections
> --------------------------------------------------------------------------
>
>                 Key: COUCHDB-2364
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-2364
>             Project: CouchDB
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: Database Core
>            Reporter: Javier Candeira
>
> How to reproduce:
> 1.
> Make a local.ini document with two [admin] sections, and the user = password 
> line in the second one, as the dev/run script did as of github commit 
> d3094366b6775e7a54:
> ```
> [admins]
> ;admin = mysecretpassword
> [admins]
> candeira = candeira
> ```
> 2.
> CouchDB process will not replace the plaintext password, but merely edit in 
> the hashed password under the first [admin] section, and leave the second one 
> unchanged:
> ```
> [admins]
> ;admin = mysecretpassword
> candeira = 
> -pbkdf2-a64e124a06c9c287d5b6ce260cd9c3da4049fe2d,28ea667261c84a53a5f1d92e83f2976d,10
> [admins]
> candeira = candeira
> ```



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)