Return-Path: Delivered-To: apmail-camel-dev-archive@www.apache.org Received: (qmail 50143 invoked from network); 1 Sep 2010 22:03:03 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 1 Sep 2010 22:03:03 -0000 Received: (qmail 14139 invoked by uid 500); 1 Sep 2010 22:03:02 -0000 Delivered-To: apmail-camel-dev-archive@camel.apache.org Received: (qmail 13959 invoked by uid 500); 1 Sep 2010 22:03:02 -0000 Mailing-List: contact dev-help@camel.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@camel.apache.org Delivered-To: mailing list dev@camel.apache.org Received: (qmail 13949 invoked by uid 500); 1 Sep 2010 22:03:02 -0000 Delivered-To: apmail-activemq-camel-dev@activemq.apache.org Received: (qmail 13945 invoked by uid 99); 1 Sep 2010 22:03:02 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 01 Sep 2010 22:03:02 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 01 Sep 2010 22:03:01 +0000 Received: from thor (localhost [127.0.0.1]) by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id o81M2fQb022285 for ; Wed, 1 Sep 2010 22:02:41 GMT Message-ID: <15690883.6981283378561698.JavaMail.jira@thor> Date: Wed, 1 Sep 2010 18:02:41 -0400 (EDT) From: "Lorrin Nelson (JIRA)" To: camel-dev@activemq.apache.org Subject: [jira] Updated: (CAMEL-3099) passwords and other private data contained in URIs should not be logged in plaintext In-Reply-To: <26288322.6951283377660366.JavaMail.jira@thor> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: ae95407df07c98740808b2ef9da0087c [ https://issues.apache.org/activemq/browse/CAMEL-3099?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lorrin Nelson updated CAMEL-3099: --------------------------------- Patch Info: [Patch Available] > passwords and other private data contained in URIs should not be logged in plaintext > ------------------------------------------------------------------------------------ > > Key: CAMEL-3099 > URL: https://issues.apache.org/activemq/browse/CAMEL-3099 > Project: Apache Camel > Issue Type: Improvement > Components: camel-core > Reporter: Lorrin Nelson > Priority: Minor > Attachments: 0001-Reduce-risk-of-showing-passwords-in-URIs-by-adding-c.patch > > > URIs with sensitive data are common and that URIs are frequently logged. I bumped into this myself most recently with an FTP consumer. I ended up with log messages like this: > RemoteFileProducer 2010-08-31 16:21:45,459 -- INFO -- Connected and logged in to: Endpoint[sftp://myusername@my.host.name/var/my/path?fileName=myFile.txt&password=yikesMyPassword] > I propose a sane-defaults patch of modifying DefaultEndoint.java's toString to sanitize the URI by looking for URI params containing the tokens "password" or "passphrase" and rendering their value as "*******" instead of the actual value. Obviously this isn't always the right thing to do in every situation, but it seems appropriate for many endpoints. Any for which it is not appropriate could override toString. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.