[rabbitmq-discuss] Leaking upstream credentials into federated messages' x-received-from header
Matthias Radestock
matthias at rabbitmq.com
Mon Mar 11 18:10:54 GMT 2013
On 11/03/13 18:03, Simon MacMullen wrote:
> On 11/03/13 17:22, James Gardner wrote:
>> I was frankly shocked to see that in the x-received-from header
>> that is inserted into the re-published messages, one of the
>> subcomponents is called 'uri' and [...] includes the
>> username and most worryingly, the plain text password!
>
> That noise you can hear is me banging my head against the desk. I can't
> believe we didn't think of that.
FWIW, this bug was introduced in 3.0.0. Prior versions are fine.
Matthias.
More information about the rabbitmq-discuss
mailing list