[jira] [Created] (KARAF-7256) Action logs could leak password if passed as argument or options

Jira Fri, 17 Sep 2021 00:07:05 -0700

J. Brébec created KARAF-7256:
--------------------------------

             Summary: Action logs could leak password if passed as argument or 
options
                 Key: KARAF-7256
                 URL: https://issues.apache.org/jira/browse/KARAF-7256
             Project: Karaf
          Issue Type: Bug
          Components: karaf
    Affects Versions: 4.3.2
            Reporter: J. Brébec



If a shell Action take a sensible argument like a password, this password will 
be visible every time the Action log something.

The statement is used to set the name of the thread, without obfuscating any 
arguments or options. The thread name is logged with the default log4j 
configuration.

[felix-dev/Pipe.java at 3e5671ae7e5107f4f849ef9d5f0a89b1ba9d7439 · 
apache/felix-dev · 
GitHub|https://github.com/apache/felix-dev/blob/3e5671ae7e5107f4f849ef9d5f0a89b1ba9d7439/gogo/runtime/src/main/java/org/apache/felix/gogo/runtime/Pipe.java#L228]

 

Using the "censor" property in @Argument or @Option doesn't change anything.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (KARAF-7256) Action logs could leak password if passed as argument or options

Reply via email to