DB passwords are logged in Application::initDatabase

SeisComP / common

SeisComP framework C++ libraries, Python wrappers and messaging

Other

8 stars 20 forks source link

DB passwords are logged in Application::initDatabase #114

Closed Jollyfant closed 10 months ago

Jollyfant commented 10 months ago

Hi, the full database string including password is logged when the -d or --database flag is used. There are various places in the following function this can occur:

https://github.com/SeisComP/common/blob/master/libs/seiscomp/client/application.cpp#L1823.

It would probably be better to obfuscate the password like is done in other places.

gempa-jabe commented 10 months ago

Then the application has to parse the URI and remove or obfuscate the password. This hasn't been done and maybe it is not even necessary as the interface implementation log already errors. Simply getting rid of those lines or at least the URI in the log should do the trick. Could you propose something and test it on your end?

Jollyfant commented 10 months ago

Yeah probably removing the %s part of the logging is good. The messages can stay but without information. I will test it and submit a PR for it.

Jollyfant commented 10 months ago

Another instance here:

https://github.com/SeisComP/common/blob/master/apps/messaging/scmaster/plugins/dbstore/dbstore.cpp#L82

Jollyfant commented 10 months ago

See #115

gempa-jabe commented 10 months ago

I will pick the changes next week. They will be part of a bugfix release as 6.0.1 is already out.