From: mereth <mereth78@gmail.com>
Date: Mon, 18 Aug 2014 23:13:37 +0000 (+0200)
Subject: fix misstyped passwords leaked in log files with redmine auth provider
X-Git-Tag: v1.6.1~62^2
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=2445d4b2b80671bdcefbd4ed81f394a5249ee13d;p=gitblit.git

fix misstyped passwords leaked in log files with redmine auth provider
---

diff --git a/src/main/java/com/gitblit/auth/RedmineAuthProvider.java b/src/main/java/com/gitblit/auth/RedmineAuthProvider.java
index 7e957ecb..e505a54d 100644
--- a/src/main/java/com/gitblit/auth/RedmineAuthProvider.java
+++ b/src/main/java/com/gitblit/auth/RedmineAuthProvider.java
@@ -153,15 +153,16 @@ public class RedmineAuthProvider extends UsernamePasswordAuthenticationProvider
         if (!url.endsWith("/")) {
         	url = url.concat("/");
         }
+        String apiUrl = url + "users/current.json";
+        
         HttpURLConnection http;
         if (username == null) {
         	// apikey authentication
         	String apiKey = String.valueOf(password);
-        	String apiUrl = url + "users/current.json?key=" + apiKey;
         	http = (HttpURLConnection) ConnectionUtils.openConnection(apiUrl, null, null);
+            http.addRequestProperty("X-Redmine-API-Key", apiKey);
         } else {
         	// username/password BASIC authentication
-        	String apiUrl = url + "users/current.json";
         	http = (HttpURLConnection) ConnectionUtils.openConnection(apiUrl, username, password);
         }
         http.setRequestMethod("GET");