[CORE-308] Full Request XML message is stored in the QT_PDO_QUERY_MASTER table Created: 25/May/18  Updated: 17/Jan/19  Resolved: 17/Jan/19

Status: Resolved
Project: i2b2 Core Software
Component/s: None
Affects Version/s: 1.7.10
Fix Version/s: 1.7.11

Type: Bug Priority: Major
Reporter: Janice Donahoe Assignee: Reeta Metta
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Rank: 0|i003zj:
Affects Database/s:
All databases
Affects Web Browser/s:
All Web Browsers

In the QT_PDO_QUERY_MASTER table, the full request XML message is stored in the REQUEST_XML column. This includes the message header, which means we could store passwords. This would only be a problem if sites have configured their system to display passwords instead of session keys (tokens).

The QT_QUERY_MASTER table has a similar column that is also called REQUEST_XML. The <query_definition> is the only section of the request message that is stored in the REQUEST_XML Column.

In the QT_PDO_QUERY_MASTER table a modified version of the Request message should be stored the same as we do in the QT_QUERY_MASTER table. By not storing the <message_header> we do not run the risk of storing and potentially exposing passwords.

Generated at Fri Aug 19 14:56:38 UTC 2022 using Jira 8.20.11#820011-sha1:0629dd8d260e3954ece49053e565d01dabe11609.