commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Vladimirov (JIRA)" <j...@apache.org>
Subject [jira] Commented: (VFS-169) Thrown exception reveals passwords
Date Tue, 24 Mar 2009 12:37:51 GMT

    [ https://issues.apache.org/jira/browse/VFS-169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688664#action_12688664
] 

Sergey Vladimirov commented on VFS-169:
---------------------------------------

Joerg,

Seems we have duplication of functionality now:
 - GenericFileName has getSafeURI() method
 - FileName & AbstractFileName have getFriendlyURI() method

As for me, only getFriendlyURI() was okay (may be using *** to replace password should be
added), and this (and only this) method should be used for toString() method.

Also AbstractFileObject should be changed to use "safe" URI in toString()

> Thrown exception reveals passwords
> ----------------------------------
>
>                 Key: VFS-169
>                 URL: https://issues.apache.org/jira/browse/VFS-169
>             Project: Commons VFS
>          Issue Type: Bug
>    Affects Versions: 1.0
>            Reporter: Joerg Schaible
>            Assignee: Joerg Schaible
>             Fix For: 2.0
>
>         Attachments: vfs-pwd.patch
>
>
> If an exception occurs accessing a FileObject on a FileSystem that is addressed with
an URL containing user and password the thrown exception contains the password as part of
the error message:
> org.apache.commons.vfs.FileSystemException: Could not connect to SFTP server at "sftp://user:password@apache.org/".
> In such a case the URL should be printed as "sftp://user:***@apache.org/". Same applied
to log messages - at least for INFO and higher.
> This is a security risk, since in big companies exceptions and logs are normally collected
and archived in monitoring systems and may reveal the password to persons that have normally
no authorization to the target system.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message