redmine auth provider leaks misstyped passwords in log files - Githubissues

davideuler / gitblit

Automatically exported from code.google.com/p/gitblit

Apache License 2.0

0 stars 0 forks source link

redmine auth provider leaks misstyped passwords in log files #466

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

Gitblit 1.6.0 on Windows 2012.

What steps will reproduce the problem?
1. configure redmine auth provider
2. try to connect with a wrong password
3. look your gitblit log files

2014-07-17 14:38:47 [WARN ] Failed to authenticate via username/password 
against Redmine
2014-07-17 14:38:47 [ERROR] Failed to authenticate via apikey against Redmine
java.io.IOException: Server returned HTTP response code: 401 for URL: 
http://mydomain.org:8080/redmine/users/current.json?key=mypassword

Redmine provide other ways to authenticate with an api key which could avoid 
this behavior :
* passed in as a username with a random password via HTTP Basic authentication
* passed in as a "X-Redmine-API-Key" HTTP header

Regards

Original issue reported on code.google.com by meret...@gmail.com on 17 Jul 2014 at 12:59

GoogleCodeExporter commented 9 years ago

Yeah, this should be addressed.

As for alternative authentication, I'll be happy to accept PRs for that.  I 
don't run Redmine.

Original comment by James.Mo...@gmail.com on 12 Aug 2014 at 7:15

Changed state: Accepted
Added labels: Milestone-1.6.1

GoogleCodeExporter commented 9 years ago

Done : https://github.com/gitblit/gitblit/pull/215

The provider now use the X-Redmine-API-Key header.

New error stacktrace:
2014-08-19 01:01:41 [WARN ] Failed to authenticate via username/password 
against Redmine
2014-08-19 01:01:41 [ERROR] Failed to authenticate via apikey against Redmine
java.io.IOException: Server returned HTTP response code: 401 for URL: 
http://localhost:3000/users/current.json

Original comment by meret...@gmail.com on 18 Aug 2014 at 11:24

GoogleCodeExporter commented 9 years ago

Original comment by James.Mo...@gmail.com on 4 Sep 2014 at 6:25

Changed state: Queued

GoogleCodeExporter commented 9 years ago

BTW, are you interested in hacking on issue-321?  Supporting Redmine groups as 
Gitblit teams.

Original comment by James.Mo...@gmail.com on 4 Sep 2014 at 6:43

GoogleCodeExporter commented 9 years ago

v1.6.1 released

Original comment by James.Mo...@gmail.com on 20 Oct 2014 at 9:36

Changed state: Done