chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Donald Kwakkel (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CMIS-940) Heap Inspection could reveal passwords
Date Mon, 24 Aug 2015 08:34:45 GMT
Donald Kwakkel created CMIS-940:
-----------------------------------

             Summary: Heap Inspection could reveal passwords
                 Key: CMIS-940
                 URL: https://issues.apache.org/jira/browse/CMIS-940
             Project: Chemistry
          Issue Type: Bug
          Components: opencmis-client
    Affects Versions: OpenCMIS 0.13.0
            Reporter: Donald Kwakkel


Sensitive data (such as passwords, social security numbers, credit card numbers etc) stored
in memory can be leaked if memory is not cleared after use. Often, Strings are used store
sensitive data, however, since String objects are immutable, removing the value of a String
from memory can only be done by the JVM garbage collector. The garbage collector is not required
to run unless the JVM is low on memory, so there is no guarantee as to when garbage collection
will take place. In the event of an application crash, a memory dump of the application might
reveal sensitive data.


src/main/java/org/apache/chemistry/opencmis/workbench/model/ClientSession.java:

 public static SessionParameterMap createSessionParameters(String url, BindingType binding,
String username,
            String password, Authentication authentication, boolean compression, boolean clientCompression,
            boolean cookies) {
   



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message