[jira] [Commented] (COUCHDB-2949) Replications which fail to start dump creds into the logs

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/COUCHDB-2949?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15140956#comment-15140956
 ] 

ASF GitHub Bot commented on COUCHDB-2949:
-----------------------------------------

GitHub user mikewallace1979 opened a pull request:

    https://github.com/apache/couchdb-couch-replicator/pull/25

    Avoid logging creds on couch_replicator termination

    When couch_replicator terminates with an error we log the #rep
    record which can contain credentials for the source or target
    of a replication, either in the url directly or in an Authorization
    header.
    
    This commit adds a function to strip credentials from the #httpdb
    records in the #rep record and replace them with ****.
    
    Specifically this concerns the url and headers fields of the
     #rep.source and #rep.target #httpdb records.
    
    Closes COUCHDB-2949

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/mikewallace1979/couchdb-couch-replicator 
2949-avoid-logging-creds-on-couch_replicator-termination

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/couchdb-couch-replicator/pull/25.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #25
    
----
commit b6913a16eb67057d79b7b373d31fd95d015f7f18
Author: Mike Wallace <mikewall...@apache.org>
Date:   2016-02-10T14:59:50Z

    Avoid logging creds on couch_replicator termination
    
    When couch_replicator terminates with an error we log the #rep
    record which can contain credentials for the source or target
    of a replication, either in the url directly or in an Authorization
    header.
    
    This commit adds a function to strip credentials from the #httpdb
    records in the #rep record and replace them with ****.
    
    Specifically this concerns the url and headers fields of the
     #rep.source and #rep.target #httpdb records.
    
    Closes COUCHDB-2949

----


> Replications which fail to start dump creds into the logs
> ---------------------------------------------------------
>
>                 Key: COUCHDB-2949
>                 URL: https://issues.apache.org/jira/browse/COUCHDB-2949
>             Project: CouchDB
>          Issue Type: Bug
>          Components: Replication
>            Reporter: Mike Wallace
>
> If a replication fails to start then the `#rep` record is logged [1]. This 
> can contain credentials in either the source or target `#httpdb` records, 
> either in urls or the authorization header.
> This can be reproduced by posting a replication document which specifies a 
> replication from a database that doesn't exist and following the logs, e.g.: 
> https://gist.github.com/mikewallace1979/757a48bce6b84fbf080c
> Note that the creds are exposed both when they are in the source/target url 
> or in the `Authorization` header.
> [1] 
> https://github.com/apache/couchdb-couch-replicator/blob/master/src/couch_replicator.erl#L519-L520



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)