[CORE-308] Full Request XML message is stored in the QT_PDO_QUERY_MASTER table Created: 25/May/18 Updated: 17/Jan/19 Resolved: 17/Jan/19 |
|
Status: | Resolved |
Project: | i2b2 Core Software |
Component/s: | None |
Affects Version/s: | 1.7.10 |
Fix Version/s: | 1.7.11 |
Type: | Bug | Priority: | Major |
Reporter: | Janice Donahoe | Assignee: | Reeta Metta |
Resolution: | Fixed | Votes: | 0 |
Labels: | None | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Rank: | 0|i003zj: |
Affects Database/s: |
All databases
|
Affects Web Browser/s: |
All Web Browsers
|
Participant/s: |
Description |
In the QT_PDO_QUERY_MASTER table, the full request XML message is stored in the REQUEST_XML column. This includes the message header, which means we could store passwords. This would only be a problem if sites have configured their system to display passwords instead of session keys (tokens).
The QT_QUERY_MASTER table has a similar column that is also called REQUEST_XML. The <query_definition> is the only section of the request message that is stored in the REQUEST_XML Column. In the QT_PDO_QUERY_MASTER table a modified version of the Request message should be stored the same as we do in the QT_QUERY_MASTER table. By not storing the <message_header> we do not run the risk of storing and potentially exposing passwords. |