[rabbitmq-discuss] Leaking upstream credentials into federated messages' x-received-from header

[James Gardner]

Hi,

First if I may, I would like to extend my personal thanks to the 
RabbitMQ team for what I consider an exceptionally well-designed and 
generally very well documented piece of open source software. It really 
has been a pleasure to set up, configure and learn about, and I am 
excited about all the possible uses for a deployment here. Clearly a 
great deal of thought has gone into it, which I am always grateful for 
in any software I have to deal with :).
Having just experimented with federation while investigating RabbitMQ 
for a possible deployment, all has gone very well, with one important 
and uncharacteristic exception; I was frankly shocked to see that in the 
x-received-from header that is inserted into the re-published messages, 
one of the subcomponents (in addition to virtual_host and exchange which 
I can see might be useful) is called 'uri' and states verbatim the URI 
that was used to connect to the upstream server. This might be useful 
to, if it weren't for the fact that it includes the username and most 
worryingly, the plain text password!
This is one of those occasions where it seems so wrong I think there 
must be something I'm not getting :) and perhaps there is. But I don't 
see what I could be doing to invoke this behavior, nor do I see a way to 
switch it off.
I would be grateful if you could help me understand the rationale behind 
this feature and more importantly let me know how I can make sure 
credentials are not leaked into message headers, with all the obvious 
implications thereof.

I am using RabbitMQ version 3.0.3 on RHEL 6.4. To do the federation I am 
using a simple amqp:// style URI upstream definition mentioning 
username, password, hostname and vhost, and a policy which applies to 
one exchange using the 'all' upstream-set.
Let me know if you need any more info.

Thanks!

James Gardner
- NWS Internet Dissemination System