directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] [Created] (DIRAPI-197) When dumping a BindRequest, the password is exposed
Date Wed, 23 Jul 2014 16:11:41 GMT
Emmanuel Lecharny created DIRAPI-197:
----------------------------------------

             Summary: When dumping a BindRequest, the password is exposed
                 Key: DIRAPI-197
                 URL: https://issues.apache.org/jira/browse/DIRAPI-197
             Project: Directory Client API
          Issue Type: Bug
    Affects Versions: 1.0.0-M23
            Reporter: Emmanuel Lecharny
            Priority: Blocker
             Fix For: 1.0.0-M24


The BindRequestImpl.toString() metjod does print the password when in Simple mode (it's not
the case when using SASL) :

            if ( isSimple )
            {
                sb.append( "        Simple authentication : '" ).append( Strings.utf8ToString(
credentials ) )
                    .append( '/' ).append( Strings.dumpBytes( credentials ) ).append( "'\n"
);
            }
            else
            {
                sb.append( "        Sasl credentials\n" );
                sb.append( "            Mechanism :'" ).append( mechanism ).append( "'\n"
);

                if ( credentials == null )
                {
                    sb.append( "            Credentials : null" );
                }
                else
                {
                    sb.append( "            Credentials : (omitted-for-safety)" );
                }

This is absolutely wrong...



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message