commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Horst Beham (JIRA)" <j...@apache.org>
Subject [jira] Updated: (VFS-277) VFS ant tasks reveal passwords
Date Mon, 17 Aug 2009 18:54:16 GMT

     [ https://issues.apache.org/jira/browse/VFS-277?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Horst Beham updated VFS-277:
----------------------------

    Attachment: vfs-test.xml

ant script that tests whether the log output contains passwords.
requires ant-contrib.jar and ant 1.7.x

> VFS ant tasks reveal passwords
> ------------------------------
>
>                 Key: VFS-277
>                 URL: https://issues.apache.org/jira/browse/VFS-277
>             Project: Commons VFS
>          Issue Type: Bug
>    Affects Versions: 2.0
>         Environment: Solaris 10; Ant 1.7.1; commons-vfs-SNAPSHOT-2.0 (revision 537717)
>            Reporter: Horst Beham
>         Attachments: ant-password-leak.diff, vfs-test.xml
>
>
> 1) Password leaking through FileObject.toString()
> - AbstractSyncTask.java and MkdirTask.java use MessageFormat to create log messages,
which goes back to FileObject.toString() and returns "name.getURI()" containing the password.
>             final String message = Messages.getString("vfs.tasks/mkdir.create-folder.info",
dir);
>             log(message);
> - MoveTask.java and SyncTask.java use string concatenation with a FileObject, also going
back to toString():
>             log("Deleting " + srcFile);
> A fix for that was suggested in VFS-169 (and others) to modify AbstractFileObject.toString()
to use "name.getFriendlyURI()", but it wasn't implemented in order to keep the API compatible.
For our project I was able to change the toString() implementation.
> To keep the API working all calls to Messages.getString(...) that pass in FileObject's
should then rather pass in fileObject.getName().getFriendlyURI().
> 2) String concatenation with URI strings
> DeleteTask.java concatenates the string representation of the source directory's URL
in the the line:
> log("Deleting " + filesList + " in the directory " + srcDirUrl)
> To fix this I replaced the block inside the "if" with:
>                 final FileObject srcDir = resolveFile(srcDirUrl);
>                 log("Deleting " + filesList + " in the directory " + srcDir.getName().getFriendlyURI());
>                 StringTokenizer tok = new StringTokenizer(filesList, ", \t\n\r\f", false);
>                 while (tok.hasMoreTokens())
>                 {
>                     String nextFile = tok.nextToken();
>                     final FileObject srcFile = srcDir.resolveFile(nextFile);
>                     srcFile.delete(Selectors.SELECT_ALL);
>                 }
> 3) Explicit logging of the password URI
> ShowFileTask.java explicitly logs the URI with the password:
>             log("Details of " + file.getName().getURI());

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message