directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (DIRAPI-197) When dumping a BindRequest, the password is exposed
Date Wed, 23 Jul 2014 16:11:43 GMT

     [ https://issues.apache.org/jira/browse/DIRAPI-197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Emmanuel Lecharny updated DIRAPI-197:
-------------------------------------

    Description: 
The BindRequestImpl.toString() metjod does print the password when in Simple mode (it's not
the case when using SASL) :

{code:java}
            if ( isSimple )
            {
                sb.append( "        Simple authentication : '" ).append( Strings.utf8ToString(
credentials ) )
                    .append( '/' ).append( Strings.dumpBytes( credentials ) ).append( "'\n"
);
            }
            else
            {
                sb.append( "        Sasl credentials\n" );
                sb.append( "            Mechanism :'" ).append( mechanism ).append( "'\n"
);

                if ( credentials == null )
                {
                    sb.append( "            Credentials : null" );
                }
                else
                {
                    sb.append( "            Credentials : (omitted-for-safety)" );
                }
{code}

This is absolutely wrong...

  was:
The BindRequestImpl.toString() metjod does print the password when in Simple mode (it's not
the case when using SASL) :

            if ( isSimple )
            {
                sb.append( "        Simple authentication : '" ).append( Strings.utf8ToString(
credentials ) )
                    .append( '/' ).append( Strings.dumpBytes( credentials ) ).append( "'\n"
);
            }
            else
            {
                sb.append( "        Sasl credentials\n" );
                sb.append( "            Mechanism :'" ).append( mechanism ).append( "'\n"
);

                if ( credentials == null )
                {
                    sb.append( "            Credentials : null" );
                }
                else
                {
                    sb.append( "            Credentials : (omitted-for-safety)" );
                }

This is absolutely wrong...


> When dumping a BindRequest, the password is exposed
> ---------------------------------------------------
>
>                 Key: DIRAPI-197
>                 URL: https://issues.apache.org/jira/browse/DIRAPI-197
>             Project: Directory Client API
>          Issue Type: Bug
>    Affects Versions: 1.0.0-M23
>            Reporter: Emmanuel Lecharny
>            Priority: Blocker
>             Fix For: 1.0.0-M24
>
>
> The BindRequestImpl.toString() metjod does print the password when in Simple mode (it's
not the case when using SASL) :
> {code:java}
>             if ( isSimple )
>             {
>                 sb.append( "        Simple authentication : '" ).append( Strings.utf8ToString(
credentials ) )
>                     .append( '/' ).append( Strings.dumpBytes( credentials ) ).append(
"'\n" );
>             }
>             else
>             {
>                 sb.append( "        Sasl credentials\n" );
>                 sb.append( "            Mechanism :'" ).append( mechanism ).append( "'\n"
);
>                 if ( credentials == null )
>                 {
>                     sb.append( "            Credentials : null" );
>                 }
>                 else
>                 {
>                     sb.append( "            Credentials : (omitted-for-safety)" );
>                 }
> {code}
> This is absolutely wrong...



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message