rabbitmq-server
rabbitmq-server copied to clipboard
Channel state contains un-obfuscated user data
Related to #3803
See https://groups.google.com/g/rabbitmq-users/c/Toq7BRq2Npk
The mailing list user reports a case where an LDAP password is logged as part of mfargs
to rabbit_channel:start_link
.
It appears that the impl
field of the #auth_user
record could be obfuscated to prevent scenarios like this.
In addition, the user information is stored in the channel state which could be logged at some point -
https://github.com/rabbitmq/rabbitmq-server/blob/master/deps/rabbit/src/rabbit_channel.erl#L531