[
http://jira.codehaus.org/browse/CONTINUUM-2240?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Maria Catherine Tan closed CONTINUUM-2240.
------------------------------------------
Resolution: Fixed
set includeParams to none
r803352 of 1.3.x branch
r803353 of trunk
> Passwords are exposed in request log
> ------------------------------------
>
> Key: CONTINUUM-2240
> URL: http://jira.codehaus.org/browse/CONTINUUM-2240
> Project: Continuum
> Issue Type: Bug
> Affects Versions: 1.3.3
> Environment: 1.3.3-SNAPSHOT r777534
> Reporter: Wendy Smoak
> Assignee: Maria Catherine Tan
> Fix For: 1.3.4
>
>
> Subversion passwords are exposed in plain text in the request log when adding
> a project, for example:
> 2009_05_22.request.log:0:0:0:0:0:0:0:1%0 - - [22/May/2009:14:45:32 +0000]
> "GET
> /continuum/addMavenTwoProject.action?scmUsername=wsmoak&__checkbox_scmUseCache=true&__checkbox_nonRecursiveProject=true&buildDefinitionTemplateId=-1&m2PomUrl=http%3A%2F%2Fsvn.apache.org%2Frepos%2Fasf%2Fcontinuum%2Fsandbox%2Fsimple-example%2Fpom.xml&scmPassword=mypassw0rd&selectedProjectGroup=-1
> HTTP/1.1" 302 0 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US;
> rv:1.9.0.10) Gecko/2009042315 Firefox/3.0.10"
> I assume this is a Jetty log file that we can't do anything about. If so, we
> need to document how to turn off this logging, or perhaps leave it off by
> default and document how to turn it on if needed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
