commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Horst Beham (JIRA)" <>
Subject [jira] Created: (VFS-277) VFS ant tasks reveal passwords
Date Mon, 17 Aug 2009 16:22:14 GMT
VFS ant tasks reveal passwords

                 Key: VFS-277
             Project: Commons VFS
          Issue Type: Bug
    Affects Versions: 2.0
         Environment: Solaris 10; Ant 1.7.1; commons-vfs-SNAPSHOT-2.0 (revision 537717)
            Reporter: Horst Beham

1) uses MessageFormat to create log messages, which goes back to FileObject.toString(),
which returns name.getURI() containing the password.

A fix for that was suggested in VFS-169 (and others) to modify AbstractFileObject.toString()
to use "name.getFriendlyURI()", but it wasn't implemented in order to keep the API compatible.

2) concatenates the string representation of the source directory's URL in
the the line:
log("Deleting " + filesList + " in the directory " + srcDirUrl)

To fix this I replaced the block inside the "if" with:
                final FileObject srcDir = resolveFile(dir);
                log("Deleting " + filesList + " in the directory " + srcDir.getName().getFriendlyURI());

                StringTokenizer tok = new StringTokenizer(filesList, ", \t\n\r\f", false);
                while (tok.hasMoreTokens())
                    String nextFile = tok.nextToken();
                    final FileObject srcFile = srcDir.resolveFile(nextFile);

There might me more VFS ant tasks leaking passwords which I haven't looked at

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message