ankiit / logstash

Automatically exported from code.google.com/p/logstash
0 stars 0 forks source link

Clear text password in logfile #9

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
When running logstash and using a stomp connector as input/output, the full URL 
including the clear text password is logged.

Would it be possible to turn off this verbosity?

Thanks,
M

Original issue reported on code.google.com by r4ce2z...@gmail.com on 12 Jan 2011 at 11:17

GoogleCodeExporter commented 9 years ago
Thanks for filing. I'll work on a fix that makes sure we never log the password 
used in any url.

Original comment by jls.semi...@gmail.com on 12 Jan 2011 at 3:33

GoogleCodeExporter commented 9 years ago

Original comment by jls.semi...@gmail.com on 18 Jan 2011 at 6:54

GoogleCodeExporter commented 9 years ago
Came up with a fix.

I've written a password class for logstash that when printed only reveals 
"<password>" so any normal logging of that object should not reveal the password

Example:

I, [2011-04-06T01:01:28.502000 #21526]  INFO -- agent.rb:273#run_with_config: 
["Starting input", #<LogStash::Inputs::Twitter:0x2bf87baf @tags=[], 
@config={"user"=>"jls_api", "password"=><password>, ...

I think this is sufficient :)

This will show up in 1.0

Original comment by jls.semi...@gmail.com on 6 Apr 2011 at 8:02