If I try to get some information about a data store using REST, the response contains encrypted data store passwords.
Some snippets, executing
curl -v -u admin:geoserver -XGET
http://localhost:8080/geoserver/rest/workspaces/acme/datastores/nync.xml
results in
…
crypt1:pw5lO+WAt6nThMc1cywD3Q==
postgis
…
Even worse, doing the same REST call again, the encrypted password is different. (This is because we use a salt and the plain text password is encrypted for each REST call).
IMHO, I would expect the plain text password, the cipher text is quite useless.
Opinions ?
Cheers
Christian
On Fri, Mar 15, 2013 at 5:24 PM, Christian Mueller <christian.mueller@anonymised.com> wrote:
If I try to get some information about a data store using REST, the response contains encrypted data store passwords.
Some snippets, executing
curl -v -u admin:geoserver -XGET
http://localhost:8080/geoserver/rest/workspaces/acme/datastores/nync.xml
results in
…
crypt1:pw5lO+WAt6nThMc1cywD3Q==
postgis
…
Even worse, doing the same REST call again, the encrypted password is different. (This is because we use a salt and the plain text password is encrypted for each REST call).
IMHO, I would expect the plain text password, the cipher text is quite useless.
Opinions ?
I agree, returning the crypted password seems like a bug to me. These operations are
protected and only an admin can access them anyways.
Either that, or we should avoid returning the password at all…
Cheers
Andrea
–
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it