commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sebb (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (NET-557) FTPClient Login suppression inconsistent
Date Wed, 03 Dec 2014 01:27:12 GMT

    [ https://issues.apache.org/jira/browse/NET-557?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14232432#comment-14232432
] 

Sebb commented on NET-557:
--------------------------

The user name on its own is not sufficient to login.
The fact that FTP servers respond with the user name suggests that it really does not need
to be redacted in most cases.
So how much of a security risk is it?
I'm not sure that this is worth the effort.

If you don't want the login sequence to be captured, then don't use a command listener, or
add it after login.
Or write your own.

> FTPClient Login suppression inconsistent
> ----------------------------------------
>
>                 Key: NET-557
>                 URL: https://issues.apache.org/jira/browse/NET-557
>             Project: Commons Net
>          Issue Type: Bug
>          Components: FTP
>    Affects Versions: 3.3
>         Environment: Window 7, Java 7
>            Reporter: Phil Dicke
>            Priority: Minor
>
> The following code prints out the user name in one instance and masks it in the other.
 The password is masked in both cases.  I would prefer the user name to be masked in both
cases as well.
> {code}
> FTPClient client = new FTPClient();
> client.addProtocolCommandListener(new PrintCommandListener(System.out, true));
> client.connect(host);
> client.login(user, pass);
> {code}
> Output (Notice the user name is printed on the response)
> {code}
> 220 Microsoft FTP Service
> USER *******
> 331 Password required for ftpTest.
> PASS *******
> 230 User ftpTest logged in.
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message