From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtpng3.m.smailru.net (smtpng3.m.smailru.net [94.100.177.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id BDB75469719 for ; Wed, 26 Feb 2020 19:19:58 +0300 (MSK) Date: Wed, 26 Feb 2020 19:14:38 +0300 From: Igor Munkin Message-ID: <20200226161438.GL404@tarantool.org> References: <20191212212543.37466-1-maria.khaydich@tarantool.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20191212212543.37466-1-maria.khaydich@tarantool.org> Subject: Re: [Tarantool-patches] [PATCH] box: replication shouldn't leak user password List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Maria Cc: tarantool-patches@dev.tarantool.org, v.shpilevoy@tarantool.org Masha, Thanks, the patch LGTM considering Vlad's remarks and review fix on top. Please don't forget to squash it with the original patch. On 13.12.19, Maria wrote: > It was possible to leak user password through setting 'replication' > configuration option in first box.cfg invocation. This happened due > to unconditional logging in load_cfg function. The patch introduces > conditional logging. > > Closes #4493 > --- > Issue: > https://github.com/tarantool/tarantool/issues/4493 > Branch: > https://github.com/tarantool/tarantool/tree/eljashm/gh-4493-box.cfg-log-may-leak-passwords > > src/box/lua/load_cfg.lua | 3 +++ > test/box/load_cfg.result | 37 +++++++++++++++++++++++++++++++++++++ > test/box/load_cfg.test.lua | 14 ++++++++++++++ > test/box/lua/cfg_test6.lua | 10 ++++++++++ > 4 files changed, 64 insertions(+) > create mode 100644 test/box/load_cfg.result > create mode 100644 test/box/load_cfg.test.lua > create mode 100644 test/box/lua/cfg_test6.lua > > -- > 2.20.1 (Apple Git-117) > -- Best regards, IM