diff options
author | Madelyn Olson <34459052+madolson@users.noreply.github.com> | 2021-05-19 08:23:54 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-05-19 08:23:54 -0700 |
commit | a59e75a475782d86d7ce2b5b9c6f5bb4a5ef0bd6 (patch) | |
tree | cb3d9aa81aa2ada903e1465b64e2d733103837e8 /src/acl.c | |
parent | d67e66de72edc49a5493c963fd7cb97411165d8c (diff) | |
download | redis-a59e75a475782d86d7ce2b5b9c6f5bb4a5ef0bd6.tar.gz |
Hide migrate command from slowlog if they include auth (#8859)
Redact commands that include sensitive data from slowlog and monitor
Diffstat (limited to 'src/acl.c')
-rw-r--r-- | src/acl.c | 13 |
1 files changed, 9 insertions, 4 deletions
@@ -1892,10 +1892,6 @@ void addACLLogEntry(client *c, int reason, int argpos, sds username) { void aclCommand(client *c) { char *sub = c->argv[1]->ptr; if (!strcasecmp(sub,"setuser") && c->argc >= 3) { - /* Consider information about passwords or permissions - * to be sensitive, which will be the arguments for this - * subcommand. */ - preventCommandLogging(c); sds username = c->argv[2]->ptr; /* Check username validity. */ if (ACLStringHasSpaces(username,sdslen(username))) { @@ -1912,6 +1908,12 @@ void aclCommand(client *c) { user *u = ACLGetUserByName(username,sdslen(username)); if (u) ACLCopyUser(tempu, u); + /* Initially redact all of the arguments to not leak any information + * about the user. */ + for (int j = 2; j < c->argc; j++) { + redactClientCommandArgument(c, j); + } + for (int j = 3; j < c->argc; j++) { if (ACLSetUser(tempu,c->argv[j]->ptr,sdslen(c->argv[j]->ptr)) != C_OK) { const char *errmsg = ACLSetUserStringError(); @@ -2245,6 +2247,8 @@ void authCommand(client *c) { addReplyErrorObject(c,shared.syntaxerr); return; } + /* Always redact the second argument */ + redactClientCommandArgument(c, 1); /* Handle the two different forms here. The form with two arguments * will just use "default" as username. */ @@ -2264,6 +2268,7 @@ void authCommand(client *c) { } else { username = c->argv[1]; password = c->argv[2]; + redactClientCommandArgument(c, 2); } if (ACLAuthenticateUser(c,username,password) == C_OK) { |