camel-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Claus Ibsen (JIRA)" <j...@apache.org>
Subject [jira] Commented: (CAMEL-3099) passwords and other private data contained in URIs should not be logged in plaintext
Date Thu, 02 Sep 2010 13:48:41 GMT

    [ https://issues.apache.org/activemq/browse/CAMEL-3099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=61626#action_61626
] 

Claus Ibsen commented on CAMEL-3099:
------------------------------------

Looks okay since its only in the {{toString}} method and hence wont affect any internal logic
which leverages {{endpointUri}} or {{endpointKey}}.

Would like to have that reg exp unit test though. So if the patch could add tests which ensures
the reg exp does as expected.
And obviously that import of sun internal class should not be included.

Camel should also compile on IBM and other JDKs

> passwords and other private data contained in URIs should not be logged in plaintext
> ------------------------------------------------------------------------------------
>
>                 Key: CAMEL-3099
>                 URL: https://issues.apache.org/activemq/browse/CAMEL-3099
>             Project: Apache Camel
>          Issue Type: Improvement
>          Components: camel-core
>            Reporter: Lorrin Nelson
>            Assignee: Hadrian Zbarcea
>            Priority: Minor
>         Attachments: 0001-Reduce-risk-of-showing-passwords-in-URIs-by-adding-c.patch
>
>
> URIs with sensitive data are common and that URIs are frequently logged. I bumped into
this myself most recently with an FTP consumer. I ended up with log messages like this:
> RemoteFileProducer 2010-08-31 16:21:45,459 -- INFO -- Connected and logged in to: Endpoint[sftp://myusername@my.host.name/var/my/path?fileName=myFile.txt&password=yikesMyPassword]
> I propose a sane-defaults patch of modifying DefaultEndoint.java's toString to sanitize
the URI by looking for URI params containing the tokens "password" or "passphrase" and rendering
their value as "*******" instead of the actual value. Obviously this isn't always the right
thing to do in every situation, but it seems appropriate for many endpoints. Any for which
it is not appropriate could override toString.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message