[rabbitmq-discuss] Leaking upstream credentials into federated messages' x-received-from header
simon at rabbitmq.com
Mon Mar 11 18:03:57 GMT 2013
On 11/03/13 17:22, James Gardner wrote:
> Having just experimented with federation while investigating RabbitMQ
> for a possible deployment, all has gone very well, with one important
> and uncharacteristic exception; I was frankly shocked to see that in the
> x-received-from header that is inserted into the re-published messages,
> one of the subcomponents (in addition to virtual_host and exchange which
> I can see might be useful) is called 'uri' and states verbatim the URI
> that was used to connect to the upstream server. This might be useful
> to, if it weren't for the fact that it includes the username and most
> worryingly, the plain text password!
That noise you can hear is me banging my head against the desk. I can't
believe we didn't think of that.
Needless to say, a fix will be forthcoming. Rapidly.
More information about the rabbitmq-discuss