chemistry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Donald Kwakkel (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CMIS-940) Heap Inspection could reveal passwords
Date Mon, 24 Aug 2015 08:50:46 GMT

    [ https://issues.apache.org/jira/browse/CMIS-940?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14708978#comment-14708978
] 

Donald Kwakkel commented on CMIS-940:
-------------------------------------

Is this because they are used for basic authentication?

> Heap Inspection could reveal passwords
> --------------------------------------
>
>                 Key: CMIS-940
>                 URL: https://issues.apache.org/jira/browse/CMIS-940
>             Project: Chemistry
>          Issue Type: Bug
>          Components: opencmis-client
>    Affects Versions: OpenCMIS 0.13.0
>            Reporter: Donald Kwakkel
>
> Sensitive data (such as passwords, social security numbers, credit card numbers etc)
stored in memory can be leaked if memory is not cleared after use. Often, Strings are used
store sensitive data, however, since String objects are immutable, removing the value of a
String from memory can only be done by the JVM garbage collector. The garbage collector is
not required to run unless the JVM is low on memory, so there is no guarantee as to when garbage
collection will take place. In the event of an application crash, a memory dump of the application
might reveal sensitive data.
> src/main/java/org/apache/chemistry/opencmis/workbench/model/ClientSession.java:
>  public static SessionParameterMap createSessionParameters(String url, BindingType binding,
String username,
>             String password, Authentication authentication, boolean compression, boolean
clientCompression,
>             boolean cookies) {
>    



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message