Do not log passwords on failed authentication attempts (issue-316)

diff --git a/releases.moxie b/releases.moxie
index 23c0de8b3f04e5837e3420d924de223f46bad16a..f9e21d4bcb5c77d93d266e90028403f6414a06b6 100644 (file)
--- a/releases.moxie
+++ b/releases.moxie
@@ -17,6 +17,7 @@ r20: {
        - Personal repository prefix (~) is now configurable (issue-265)
        - Reversed line links in blob view (issue-309)
        - Dashboard and Activity pages now obey the web.generateActivityGraph setting (issue-310)
+       - Do not log passwords on failed authentication attempts (issue-316)
        - Updated default binary and Lucene ignore extensions
     additions:
        - Added branch graph image servlet based on EGit's branch graph renderer (issue-194)

diff --git a/src/main/java/com/gitblit/GitBlit.java b/src/main/java/com/gitblit/GitBlit.java
index 2cebe82b0f624f0feb6e69c124e30b5174a9b50f..c31a0e97df2a8313bfb9246a2e4d768f31715683 100644 (file)
--- a/src/main/java/com/gitblit/GitBlit.java
+++ b/src/main/java/com/gitblit/GitBlit.java
@@ -947,8 +947,8 @@ public class GitBlit implements ServletContextListener {
                                                        user.username, httpRequest.getRemoteAddr()));
                                        return user;
                                } else {
-                                       logger.warn(MessageFormat.format("Failed login attempt for {0}, invalid credentials ({1}) from {2}", 
-                                                       username, credentials, httpRequest.getRemoteAddr()));
+                                       logger.warn(MessageFormat.format("Failed login attempt for {0}, invalid credentials from {1}", 
+                                                       username, httpRequest.getRemoteAddr()));
                                }
                        }
                }