Uploaded image for project: 'i2b2 Core Software'
  1. i2b2 Core Software
  2. CORE-308

Full Request XML message is stored in the QT_PDO_QUERY_MASTER table

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.7.10
    • Fix Version/s: 1.7.11
    • Component/s: None
    • Labels:
      None
    • Rank:
      0|i003zj:
    • Affects Database/s:
      All databases
    • Affects Web Browser/s:
      All Web Browsers

      Description

      In the QT_PDO_QUERY_MASTER table, the full request XML message is stored in the REQUEST_XML column. This includes the message header, which means we could store passwords. This would only be a problem if sites have configured their system to display passwords instead of session keys (tokens).

      The QT_QUERY_MASTER table has a similar column that is also called REQUEST_XML. The <query_definition> is the only section of the request message that is stored in the REQUEST_XML Column.

      In the QT_PDO_QUERY_MASTER table a modified version of the Request message should be stored the same as we do in the QT_QUERY_MASTER table. By not storing the <message_header> we do not run the risk of storing and potentially exposing passwords.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Git Source Code