Return-Path: Delivered-To: apmail-commons-issues-archive@minotaur.apache.org Received: (qmail 10686 invoked from network); 24 Mar 2009 23:18:14 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 24 Mar 2009 23:18:14 -0000 Received: (qmail 76063 invoked by uid 500); 24 Mar 2009 23:18:13 -0000 Delivered-To: apmail-commons-issues-archive@commons.apache.org Received: (qmail 75950 invoked by uid 500); 24 Mar 2009 23:18:13 -0000 Mailing-List: contact issues-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: issues@commons.apache.org Delivered-To: mailing list issues@commons.apache.org Received: (qmail 75940 invoked by uid 99); 24 Mar 2009 23:18:13 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 Mar 2009 23:18:13 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 Mar 2009 23:18:11 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id B3862234C054 for ; Tue, 24 Mar 2009 16:17:50 -0700 (PDT) Message-ID: <910767406.1237936670734.JavaMail.jira@brutus> Date: Tue, 24 Mar 2009 16:17:50 -0700 (PDT) From: "Sergey Vladimirov (JIRA)" To: issues@commons.apache.org Subject: [jira] Commented: (VFS-169) Thrown exception reveals passwords MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/VFS-169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688931#action_12688931 ] Sergey Vladimirov commented on VFS-169: --------------------------------------- Sorry, Joerg, didn't check SVN, only patch file. Let me review it :) > Thrown exception reveals passwords > ---------------------------------- > > Key: VFS-169 > URL: https://issues.apache.org/jira/browse/VFS-169 > Project: Commons VFS > Issue Type: Bug > Affects Versions: 1.0 > Reporter: Joerg Schaible > Assignee: Joerg Schaible > Fix For: 2.0 > > Attachments: vfs-pwd.patch > > > If an exception occurs accessing a FileObject on a FileSystem that is addressed with an URL containing user and password the thrown exception contains the password as part of the error message: > org.apache.commons.vfs.FileSystemException: Could not connect to SFTP server at "sftp://user:password@apache.org/". > In such a case the URL should be printed as "sftp://user:***@apache.org/". Same applied to log messages - at least for INFO and higher. > This is a security risk, since in big companies exceptions and logs are normally collected and archived in monitoring systems and may reveal the password to persons that have normally no authorization to the target system. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.