[#CORE-308] Full Request XML message is stored in the QT_PDO_QUERY

[CORE-308] Full Request XML message is stored in the QT_PDO_QUERY_MASTER table Created: 25/May/18 Updated: 17/Jan/19 Resolved: 17/Jan/19
Status:	Resolved
Project:	i2b2 Core Software
Component/s:	None
Affects Version/s:	1.7.10
Fix Version/s:	1.7.11

Type:

Bug

Priority:

Major

Reporter:

Janice Donahoe

Assignee:

Reeta Metta

Resolution:

Fixed

Votes:

Labels:

None

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Rank:

0|i003zj:

Affects Database/s:

All databases

Affects Web Browser/s:

All Web Browsers

Participant/s:

Janice Donahoe, Reeta Metta

Description

In the QT_PDO_QUERY_MASTER table, the full request XML message is stored in the REQUEST_XML column. This includes the message header, which means we could store passwords. This would only be a problem if sites have configured their system to display passwords instead of session keys (tokens).

The QT_QUERY_MASTER table has a similar column that is also called REQUEST_XML. The <query_definition> is the only section of the request message that is stored in the REQUEST_XML Column.

In the QT_PDO_QUERY_MASTER table a modified version of the Request message should be stored the same as we do in the QT_QUERY_MASTER table. By not storing the <message_header> we do not run the risk of storing and potentially exposing passwords.

Generated at Wed Apr 24 19:17:47 UTC 2024 using Jira 8.20.11#820011-sha1:0629dd8d260e3954ece49053e565d01dabe11609.

[CORE-308] Full Request XML message is stored in the QT_PDO_QUERY_MASTER table Created: 25/May/18 Updated: 17/Jan/19 Resolved: 17/Jan/19