Merge pull request #10284 from wangkx/h17809a

HPCC-17809 Hide password from ESP login page in esp.log

Reviewed-By: Anthony Fishbeck <anthony.fishbeck@lexisnexis.com>
Reviewed-By: Richard Chapman <rchapman@hpccsystems.com>

esp/bindings/http/platform/httpservice.cpp

@@ -1059,13 +1059,13 @@ EspAuthState CEspHttpServer::checkUserAuthPerSession(EspAuthRequest& authReq)
         return authSucceeded;
     }
 
-    if (urlCookie.isEmpty())
+    if (authReq.serviceName.isEmpty() || authReq.methodName.isEmpty() || !strieq(authReq.serviceName.str(), "esp") || !strieq(authReq.methodName.str(), "login"))
         return authUnknown;
 
     const char* userName = (authReq.requestParams) ? authReq.requestParams->queryProp("username") : NULL;
     const char* password = (authReq.requestParams) ? authReq.requestParams->queryProp("password") : NULL;
     if (!isEmptyString(userName) && !isEmptyString(password))
-        return authNewSession(authReq, userName, password, urlCookie.str());
+        return authNewSession(authReq, userName, password, urlCookie.isEmpty() ? "/" : urlCookie.str());
 
     if (authReq.isSoapPost) //from SOAP Test page
         sendMessage("Authentication failed: empty user name or password.", "text/html; charset=UTF-8");

esp/bindings/http/platform/httptransport.cpp

@@ -774,7 +774,14 @@ void CHttpMessage::logMessage(MessageLogFlag messageLogFlag, const char *prefix)
             else if ((m_content_type.length() > 0) && (strieq(m_content_type.get(), "text/css") || strieq(m_content_type.get(), "text/javascript")))
                 DBGLOG("%s<content_type: %s>", prefix, m_content_type.get());
             else
-                logMessage(m_content.str(), prefix);
+            {
+                StringBuffer httpPath;
+                getPath(httpPath);
+                if (!strieq(httpPath.str(), "/esp/login"))
+                    logMessage(m_content.str(), prefix);
+                else
+                    logMessage(m_content.str(), prefix, "password=*", "password=(hidden)");
+            }
         }
     }
     catch (IException *e)
@@ -1095,16 +1102,6 @@ void CHttpRequest::setMethod(const char* method)
     m_httpMethod.set(method);
 }
 
-StringBuffer& CHttpRequest::getPath(StringBuffer & path)
-{
-    return path.append(m_httpPath.str());
-}
-
-void CHttpRequest::setPath(const char* path)
-{
-    m_httpPath.set(path);
-}
-
 void CHttpRequest::parseQueryString(const char* querystr)
 {
     if(!querystr || !*querystr)

esp/bindings/http/platform/httptransport.ipp

@@ -59,6 +59,7 @@ protected:
     ISocket&     m_socket;
     Owned<IBufferedSocket> m_bufferedsocket;
 
+    StringAttr   m_httpPath;
     StringAttr   m_content_type;
     __int64      m_content_length;
     StringBuffer m_content;
@@ -143,6 +144,10 @@ public:
         port = m_socket.name(host.reserveTruncate(32), 32);
     }
 
+    virtual void setPath(const char* path) { m_httpPath.set(path); };
+    virtual StringBuffer& getPath(StringBuffer& path) { return path.append(m_httpPath.str()); };
+    virtual const char* queryPath() {return m_httpPath.str();}
+
     virtual StringBuffer& getParameter(const char* paramname, StringBuffer& paramval);
     virtual StringBuffer& getAttachment(const char* name, StringBuffer& attachment);
     virtual StringBuffer& getParamStr(StringBuffer& paramval);
@@ -293,7 +298,6 @@ class esp_http_decl CHttpRequest : public CHttpMessage
 {
 private:
     StringAttr    m_httpMethod;
-    StringAttr    m_httpPath;
     StringAttr    m_espServiceName;
     StringAttr    m_espMethodName;
     StringAttr    m_espPathEx;
@@ -321,10 +325,6 @@ public:
     virtual const char* queryServiceName() { return m_espServiceName.str(); }
     virtual const char* queryServiceMethod() { return m_espMethodName.str(); }
     
-    virtual void setPath(const char* path);
-    virtual StringBuffer& getPath(StringBuffer& path);
-    virtual const char *queryPath(){return m_httpPath.str();}
-
     virtual void parseQueryString(const char* querystr);
 
     virtual void parseEspPathInfo();

esp/src/eclwatch/templates/Login.html

@@ -116,7 +116,7 @@
                 <img src="../img/Loginlogo.png" alt="HPCC Systems">
                 <p class="loginStr"></p>
                 <div class="login">
-                    <form method="POST" action="/">
+                    <form method="POST" action="/esp/login">
                         <input type="text" name="username" placeholder="" class="loginStr"></input>
                         <input type="password" name="password" placeholder="" class="loginStr"></input>
                         <button class="loginStr" id="button" type="submit"></button>