commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 25186] New: - Security problem, BasicDataSource class
Date Wed, 03 Dec 2003 23:47:36 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25186>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25186

Security problem, BasicDataSource class

           Summary: Security problem, BasicDataSource class
           Product: Commons
           Version: 1.1 Final
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Enhancement
          Priority: Other
         Component: Dbcp
        AssignedTo: commons-dev@jakarta.apache.org
        ReportedBy: gernot.pfingstl@stmk.gv.at


In class org.apache.commons.dbcp.BasicDataSource there is a PUBLIC 
method "getPassword()". This is a critical security problem: If DBCP is used in 
Tomcat, a Tomcat admin will setup JNDI-Datasources. The deployer of a webapp 
should not know anything about the Datasource details especially not the 
password! Some developer could easy call "getPassword()" to hack the database. 
As a first solution "getPassword()" could be rewritten to always return "null" 
(later it could be removed), second the instance field "password" should change 
from "protected" to "private".

---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org


Mime
View raw message