directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (DIRAPI-197) When dumping a BindRequest, the password is exposed
Date Tue, 29 Jul 2014 04:15:38 GMT

     [ https://issues.apache.org/jira/browse/DIRAPI-197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Emmanuel Lecharny resolved DIRAPI-197.
--------------------------------------

    Resolution: Fixed

Fixed with http://svn.apache.org/r1612859

> When dumping a BindRequest, the password is exposed
> ---------------------------------------------------
>
>                 Key: DIRAPI-197
>                 URL: https://issues.apache.org/jira/browse/DIRAPI-197
>             Project: Directory Client API
>          Issue Type: Bug
>    Affects Versions: 1.0.0-M23
>            Reporter: Emmanuel Lecharny
>            Priority: Blocker
>             Fix For: 1.0.0-M24
>
>
> The BindRequestImpl.toString() metjod does print the password when in Simple mode (it's
not the case when using SASL) :
> {code:java}
>             if ( isSimple )
>             {
>                 sb.append( "        Simple authentication : '" ).append( Strings.utf8ToString(
credentials ) )
>                     .append( '/' ).append( Strings.dumpBytes( credentials ) ).append(
"'\n" );
>             }
>             else
>             {
>                 sb.append( "        Sasl credentials\n" );
>                 sb.append( "            Mechanism :'" ).append( mechanism ).append( "'\n"
);
>                 if ( credentials == null )
>                 {
>                     sb.append( "            Credentials : null" );
>                 }
>                 else
>                 {
>                     sb.append( "            Credentials : (omitted-for-safety)" );
>                 }
> {code}
> This is absolutely wrong...



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message