[
https://issues.apache.org/jira/browse/GEODE-3452?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Anthony Baker closed GEODE-3452.
--------------------------------
> gfsh does not redact passwords from history until the session is closed
> -----------------------------------------------------------------------
>
> Key: GEODE-3452
> URL: https://issues.apache.org/jira/browse/GEODE-3452
> Project: Geode
> Issue Type: Bug
> Components: gfsh, logging, security
> Reporter: Patrick Rhomberg
> Priority: Major
>
> The `ArgumentRedactor` does not act on `gfsh` history until it is written to
> file when the `gfsh` session is closed. As a result, non-redacted passwords
> may be exposed in the `history` command as well as the Ctrl-R
> reverse-i-search until the session is closed.
> Because the redactor's behavior is simple, you can reproduce this with a
> simple `echo` command.
> {noformat}
> gfsh> echo "example case --exposed-option=123 --password=456"
> example case --exposed-option 123 --password=456
> gfsh> history
> [...]
> 491 490: echo "example case --exposed-option=123 --password=456"
> 492 491: history
> gfsh> exit
> Exiting...
> [Restart gfsh]
> gfsh> history
> 480 479: echo "example case --exposed-option=123 --password=*****
> 481 480: history
> 482 481: exit
> 483 482: history
> {noformat}
> ---
> Update: Upon a quick investigation, it appears that this and GEODE-4318 both
> can be addressed by creating / overriding and redacting in {{GfshHistory}}'s
> implementation of {{jline.console.history.History::add}}. Closing this
> ticket as a duplicate of 4318.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
