Passwords stored in .orientdb_history file

[FreeK]

OrientDB Version: 2.2.30

Java Version: Java(TM) SE Runtime Environment (build 1.8.0_151-b12)

OS: Linux (Ubuntu 14.04.5)

Expected behavior

Passwords should NOT be stored in .orientdb_history

Actual behavior

Passwords are stored in plain text in .orientdb_history

Steps to reproduce

Connect to OrientDB via console:
$ORIENTDB_HOME/bin/console.sh

Connect to a database:
orientdb> CONNECT plocal:../databases/GratefulDeadConcerts admin my_admin_password

Quit the console and cat .orientdb_history file:

CONNECT plocal:../databases/GratefulDeadConcerts admin my_admin_password
exit

As this violates our security policy, we cannot use OrientDB.

[wangjunji]

I have the same problem.
Not only password, the encryption key is also stored in plain text in .orientdb_history by executing config set storage.encryptionKey xxxxxxxxx in console.sh
It may cause security issues. Any configuration will help to disable the console history?

[luigidellaquila]

Hi @wangjunji @FreeK

I added a --disable-history option to the console, so that you can disable that functionality if needed

Thanks

Luigi