[rabbitmq-discuss] Leaking upstream credentials into federated messages' x-received-from header
james.gardner at noaa.gov
Mon Mar 11 18:39:50 GMT 2013
Your candor and speedy response have restored my faith and my sanity :)
In my view this issue was the only obstacle stopping us from deploying
so I am looking forward to proceeding once a fix is released.
Thanks again to all,
On 03/11/2013 01:10 PM, Matthias Radestock wrote:
> On 11/03/13 18:03, Simon MacMullen wrote:
>> On 11/03/13 17:22, James Gardner wrote:
>>> I was frankly shocked to see that in the x-received-from header
>>> that is inserted into the re-published messages, one of the
>>> subcomponents is called 'uri' and [...] includes the
>>> username and most worryingly, the plain text password!
>> That noise you can hear is me banging my head against the desk. I can't
>> believe we didn't think of that.
> FWIW, this bug was introduced in 3.0.0. Prior versions are fine.
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
More information about the rabbitmq-discuss