commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Horst Beham (JIRA)" <j...@apache.org>
Subject [jira] Updated: (VFS-277) VFS ant tasks reveal passwords
Date Mon, 17 Aug 2009 16:38:14 GMT

     [ https://issues.apache.org/jira/browse/VFS-277?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Horst Beham updated VFS-277:
----------------------------

    Description: 
1) Password leaking through FileObject.toString()
- AbstractSyncTask.java and MkdirTask.java use MessageFormat to create log messages, which
goes back to FileObject.toString() and returns "name.getURI()" containing the password.
            final String message = Messages.getString("vfs.tasks/mkdir.create-folder.info",
dir);
            log(message);

- MoveTask.java and SyncTask.java use string concatenation with a FileObject, also going back
to toString():
            log("Deleting " + srcFile);

A fix for that was suggested in VFS-169 (and others) to modify AbstractFileObject.toString()
to use "name.getFriendlyURI()", but it wasn't implemented in order to keep the API compatible.
For our project I was able to change the toString() implementation.
To keep the API working all calls to Messages.getString(...) that pass in FileObject's should
then rather pass in fileObject.getName().getFriendlyURI().

2) String concatenation with URI strings
DeleteTask.java concatenates the string representation of the source directory's URL in the
the line:
log("Deleting " + filesList + " in the directory " + srcDirUrl)

To fix this I replaced the block inside the "if" with:
                final FileObject srcDir = resolveFile(dir);
                log("Deleting " + filesList + " in the directory " + srcDir.getName().getFriendlyURI());

                StringTokenizer tok = new StringTokenizer(filesList, ", \t\n\r\f", false);
                while (tok.hasMoreTokens())
                {
                    String nextFile = tok.nextToken();
                    final FileObject srcFile = srcDir.resolveFile(nextFile);
                    srcFile.delete(Selectors.SELECT_ALL);
                }

3) Explicit logging of the password URI
ShowFileTask.java explicitly logs the URI with the password:
            log("Details of " + file.getName().getURI());



  was:
1) AbstractSyncTask.java uses MessageFormat to create log messages, which goes back to FileObject.toString(),
which returns name.getURI() containing the password.

A fix for that was suggested in VFS-169 (and others) to modify AbstractFileObject.toString()
to use "name.getFriendlyURI()", but it wasn't implemented in order to keep the API compatible.

2) DeleteTask.java concatenates the string representation of the source directory's URL in
the the line:
log("Deleting " + filesList + " in the directory " + srcDirUrl)

To fix this I replaced the block inside the "if" with:
                final FileObject srcDir = resolveFile(dir);
                log("Deleting " + filesList + " in the directory " + srcDir.getName().getFriendlyURI());

                StringTokenizer tok = new StringTokenizer(filesList, ", \t\n\r\f", false);
                while (tok.hasMoreTokens())
                {
                    String nextFile = tok.nextToken();
                    final FileObject srcFile = srcDir.resolveFile(nextFile);
                    srcFile.delete(Selectors.SELECT_ALL);
                }


There might me more VFS ant tasks leaking passwords which I haven't looked at


> VFS ant tasks reveal passwords
> ------------------------------
>
>                 Key: VFS-277
>                 URL: https://issues.apache.org/jira/browse/VFS-277
>             Project: Commons VFS
>          Issue Type: Bug
>    Affects Versions: 2.0
>         Environment: Solaris 10; Ant 1.7.1; commons-vfs-SNAPSHOT-2.0 (revision 537717)
>            Reporter: Horst Beham
>
> 1) Password leaking through FileObject.toString()
> - AbstractSyncTask.java and MkdirTask.java use MessageFormat to create log messages,
which goes back to FileObject.toString() and returns "name.getURI()" containing the password.
>             final String message = Messages.getString("vfs.tasks/mkdir.create-folder.info",
dir);
>             log(message);
> - MoveTask.java and SyncTask.java use string concatenation with a FileObject, also going
back to toString():
>             log("Deleting " + srcFile);
> A fix for that was suggested in VFS-169 (and others) to modify AbstractFileObject.toString()
to use "name.getFriendlyURI()", but it wasn't implemented in order to keep the API compatible.
For our project I was able to change the toString() implementation.
> To keep the API working all calls to Messages.getString(...) that pass in FileObject's
should then rather pass in fileObject.getName().getFriendlyURI().
> 2) String concatenation with URI strings
> DeleteTask.java concatenates the string representation of the source directory's URL
in the the line:
> log("Deleting " + filesList + " in the directory " + srcDirUrl)
> To fix this I replaced the block inside the "if" with:
>                 final FileObject srcDir = resolveFile(dir);
>                 log("Deleting " + filesList + " in the directory " + srcDir.getName().getFriendlyURI());
>                 StringTokenizer tok = new StringTokenizer(filesList, ", \t\n\r\f", false);
>                 while (tok.hasMoreTokens())
>                 {
>                     String nextFile = tok.nextToken();
>                     final FileObject srcFile = srcDir.resolveFile(nextFile);
>                     srcFile.delete(Selectors.SELECT_ALL);
>                 }
> 3) Explicit logging of the password URI
> ShowFileTask.java explicitly logs the URI with the password:
>             log("Details of " + file.getName().getURI());

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message