commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joerg Schaible (JIRA)" <j...@apache.org>
Subject [jira] Created: (VFS-169) Thrown exception reveals passwords
Date Thu, 12 Jul 2007 15:27:04 GMT
Thrown exception reveals passwords
----------------------------------

                 Key: VFS-169
                 URL: https://issues.apache.org/jira/browse/VFS-169
             Project: Commons VFS
          Issue Type: Bug
    Affects Versions: 1.0
            Reporter: Joerg Schaible


If an exception occurs accessing a FileObject on a FileSystem that is addressed with an URL
containing user and password the thrown exception contains the password as part of the error
message:

org.apache.commons.vfs.FileSystemException: Could not connect to SFTP server at "sftp://user:password@apache.org/".

In such a case the URL should be printed as "sftp://user:***@apache.org/". Same applied to
log messages - at least for INFO and higher.

This is a security risk, since in big companies exceptions and logs are normally collected
and archived in monitoring systems and may reveal the password to persons that have normally
no authorization to the target system.


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org


Mime
View raw message