Obfuscate passwords in logs that show configuration
There seem to be only two types of logging that could expose passwords: configuration logs and dbaccess logs.
INFO [kea-dhcp4.dhcpsrv] DHCPSRV_MYSQL_DB opening MySQL lease database: host=127.0.0.1 max-reconnect-tries=3 name=keatest password=***** port=3306 reconnect-wait-time=3000 type=mysql universe=4 user=keatest
dbaccess logs are covered, but config logs have the password exposed. except for this kea-ctrl-agent configuration log which also obfuscates:
DEBUG [kea-ctrl-agent.dctl] DCTL_CONFIG_START parsing new configuration: { "authentication": { "clients": [ { "password": "*****", "user": "superadmin" } ], ... }
So this seems like a slip-up in hiding passwords everywhere?
Something to note in the code is that there might be some places where passwords can't be hidden like this place where the problem seems to be that it might rethrow:
} catch (const std::exception& ex) {
// We'd obscure the password if we could parse the access string.
DB_LOG_ERROR(DB_INVALID_ACCESS).arg(dbaccess);
throw;
}Is this a similar case?