[rabbitmq-discuss] Leaking upstream credentials into federated messages' x-received-from header

Matthias Radestock matthias at rabbitmq.com
Mon Mar 11 18:10:54 GMT 2013

On 11/03/13 18:03, Simon MacMullen wrote:
> On 11/03/13 17:22, James Gardner wrote:
>> I was frankly shocked to see that in the x-received-from header
>> that is inserted into the re-published messages, one of the
>> subcomponents is called 'uri' and [...] includes the
>> username and most worryingly, the plain text password!
> That noise you can hear is me banging my head against the desk. I can't
> believe we didn't think of that.

FWIW, this bug was introduced in 3.0.0. Prior versions are fine.


More information about the rabbitmq-discuss mailing list