Actions
Bug #10794
closedHAProxy Stats page credentials are not redacted in status.php
Start date:
07/28/2020
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All
Description
The status_output file generated by status.php does not redact the HAProxy stats page login details:
<stats_enabled></stats_enabled> <stats_username>admin</stats_username> <stats_password>topsecret</stats_password> <stats_uri></stats_uri>
They are also not shown by default which makes it hard to find them or spot of a browser has auto-filled it.
Updated by Viktor Gurov over 4 years ago
Sanitize stats_password:
https://github.com/pfsense/pfsense/pull/4407
Updated by Jim Pingle over 4 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho over 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
Updated by Danilo Zrenjanin over 4 years ago
- Status changed from Feedback to Resolved
Tested on :
2.5.0-DEVELOPMENT (amd64)
built on Thu Sep 03 19:02:32 EDT 2020
FreeBSD 12.2-PRERELEASE
HAProxy Stats page credentials are redacted in status.php
<stats_enabled>yes</stats_enabled> <stats_username>daniloz</stats_username> <stats_password>xxxxx</stats_password>
I am resolving the ticket.
Updated by Jim Pingle about 4 years ago
- Category changed from Web Interface to Diagnostics
Actions