[
https://issues.apache.org/jira/browse/COUCHDB-2364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14162943#comment-14162943
]
Javier Candeira commented on COUCHDB-2364:
------------------------------------------
Fortunately the fix for https://issues.apache.org/jira/browse/COUCHDB-2362 in
the pull request at https://github.com/apache/couchdb/pull/269 also fixes this
error.
> plaintext admin password remains visible if there are two [admin] sections
> --------------------------------------------------------------------------
>
> Key: COUCHDB-2364
> URL: https://issues.apache.org/jira/browse/COUCHDB-2364
> Project: CouchDB
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: Database Core
> Reporter: Javier Candeira
> Priority: Critical
>
> How to reproduce:
> 1.
> Make a local.ini document with two [admin] sections, and the user = password
> line in the second one, as the dev/run script did as of github commit
> d3094366b6775e7a54:
> ```
> [admins]
> ;admin = mysecretpassword
> [admins]
> candeira = candeira
> ```
> 2.
> CouchDB process will not replace the plaintext password, but merely edit in
> the hashed password under the first [admin] section, and leave the second one
> unchanged:
> ```
> [admins]
> ;admin = mysecretpassword
> candeira =
> -pbkdf2-a64e124a06c9c287d5b6ce260cd9c3da4049fe2d,28ea667261c84a53a5f1d92e83f2976d,10
> [admins]
> candeira = candeira
> ```
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
