From 7535ebacc69a7b39993992c62cfc3456cdbe1d45 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Fri, 27 Sep 2013 08:02:33 -0400
Subject: [PATCH] Do not log passwords on failed authentication attempts (issue-316)

---
 releases.moxie                         |    1 +
 src/main/java/com/gitblit/GitBlit.java |    4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/releases.moxie b/releases.moxie
index 23c0de8..f9e21d4 100644
--- a/releases.moxie
+++ b/releases.moxie
@@ -17,6 +17,7 @@
 	- Personal repository prefix (~) is now configurable (issue-265)
 	- Reversed line links in blob view (issue-309)
 	- Dashboard and Activity pages now obey the web.generateActivityGraph setting (issue-310)
+	- Do not log passwords on failed authentication attempts (issue-316)
 	- Updated default binary and Lucene ignore extensions
     additions:
 	- Added branch graph image servlet based on EGit's branch graph renderer (issue-194)
diff --git a/src/main/java/com/gitblit/GitBlit.java b/src/main/java/com/gitblit/GitBlit.java
index 2cebe82..c31a0e9 100644
--- a/src/main/java/com/gitblit/GitBlit.java
+++ b/src/main/java/com/gitblit/GitBlit.java
@@ -947,8 +947,8 @@
 							user.username, httpRequest.getRemoteAddr()));
 					return user;
 				} else {
-					logger.warn(MessageFormat.format("Failed login attempt for {0}, invalid credentials ({1}) from {2}", 
-							username, credentials, httpRequest.getRemoteAddr()));
+					logger.warn(MessageFormat.format("Failed login attempt for {0}, invalid credentials from {1}", 
+							username, httpRequest.getRemoteAddr()));
 				}
 			}
 		}

--
Gitblit v1.9.1