You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@camel.apache.org by "Lorrin Nelson (JIRA)" <ji...@apache.org> on 2010/09/01 23:47:40 UTC
[jira] Created: (CAMEL-3099) passwords and other private data
contained in URIs should not be logged in plaintext
passwords and other private data contained in URIs should not be logged in plaintext
------------------------------------------------------------------------------------
Key: CAMEL-3099
URL: https://issues.apache.org/activemq/browse/CAMEL-3099
Project: Apache Camel
Issue Type: Improvement
Components: camel-core
Reporter: Lorrin Nelson
Priority: Minor
URIs with sensitive data are common and that URIs are frequently logged. I bumped into this myself most recently with an FTP consumer. I ended up with log messages like this:
RemoteFileProducer 2010-08-31 16:21:45,459 -- INFO -- Connected and logged in to: Endpoint[sftp://myusername@my.host.name/var/my/path?fileName=myFile.txt&password=yikesMyPassword]
I propose a sane-defaults patch of modifying DefaultEndoint.java's toString to sanitize the URI by looking for URI params containing the tokens "password" or "passphrase" and rendering their value as "*******" instead of the actual value. Obviously this isn't always the right thing to do in every situation, but it seems appropriate for many endpoints. Any for which it is not appropriate could override toString.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CAMEL-3099) passwords and other private data
contained in URIs should not be logged in plaintext
Posted by "Hadrian Zbarcea (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/CAMEL-3099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=61603#action_61603 ]
Hadrian Zbarcea commented on CAMEL-3099:
----------------------------------------
Thinking more about it, secret fields should probably be stripped from the uri completely. It's getting a bit late, give me until tomorrow to finish the patch.
> passwords and other private data contained in URIs should not be logged in plaintext
> ------------------------------------------------------------------------------------
>
> Key: CAMEL-3099
> URL: https://issues.apache.org/activemq/browse/CAMEL-3099
> Project: Apache Camel
> Issue Type: Improvement
> Components: camel-core
> Reporter: Lorrin Nelson
> Assignee: Hadrian Zbarcea
> Priority: Minor
> Attachments: 0001-Reduce-risk-of-showing-passwords-in-URIs-by-adding-c.patch
>
>
> URIs with sensitive data are common and that URIs are frequently logged. I bumped into this myself most recently with an FTP consumer. I ended up with log messages like this:
> RemoteFileProducer 2010-08-31 16:21:45,459 -- INFO -- Connected and logged in to: Endpoint[sftp://myusername@my.host.name/var/my/path?fileName=myFile.txt&password=yikesMyPassword]
> I propose a sane-defaults patch of modifying DefaultEndoint.java's toString to sanitize the URI by looking for URI params containing the tokens "password" or "passphrase" and rendering their value as "*******" instead of the actual value. Obviously this isn't always the right thing to do in every situation, but it seems appropriate for many endpoints. Any for which it is not appropriate could override toString.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CAMEL-3099) passwords and other private data
contained in URIs should not be logged in plaintext
Posted by "Claus Ibsen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/CAMEL-3099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=61627#action_61627 ]
Claus Ibsen commented on CAMEL-3099:
------------------------------------
The unit test could just be a simple Junit TestCase where the reg exp is copied and tested throughly.
> passwords and other private data contained in URIs should not be logged in plaintext
> ------------------------------------------------------------------------------------
>
> Key: CAMEL-3099
> URL: https://issues.apache.org/activemq/browse/CAMEL-3099
> Project: Apache Camel
> Issue Type: Improvement
> Components: camel-core
> Reporter: Lorrin Nelson
> Assignee: Hadrian Zbarcea
> Priority: Minor
> Attachments: 0001-Reduce-risk-of-showing-passwords-in-URIs-by-adding-c.patch
>
>
> URIs with sensitive data are common and that URIs are frequently logged. I bumped into this myself most recently with an FTP consumer. I ended up with log messages like this:
> RemoteFileProducer 2010-08-31 16:21:45,459 -- INFO -- Connected and logged in to: Endpoint[sftp://myusername@my.host.name/var/my/path?fileName=myFile.txt&password=yikesMyPassword]
> I propose a sane-defaults patch of modifying DefaultEndoint.java's toString to sanitize the URI by looking for URI params containing the tokens "password" or "passphrase" and rendering their value as "*******" instead of the actual value. Obviously this isn't always the right thing to do in every situation, but it seems appropriate for many endpoints. Any for which it is not appropriate could override toString.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CAMEL-3099) passwords and other private data
contained in URIs should not be logged in plaintext
Posted by "Hadrian Zbarcea (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/CAMEL-3099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=61602#action_61602 ]
Hadrian Zbarcea commented on CAMEL-3099:
----------------------------------------
@Willem,
Encryption has nothing to do with this, the issue is not not display a password in clear in logs, jmx consoles etc. The patch hardcodes password and passphrase to be considered as secrets. Always. Which may or may not be the case.
If you saw my comment in the message Lorrin sent to the users@ list, I was thinking about the same issue and a solution I am working on now is to annotate with @Secret fields that are considered, well, secrets and must never be displayed in clear. I think that is a more general solution. We will then need to document how to best provide secrets to camel, like properties files with 400 permissions, not use them as arguments in command lines, etc.
Obviously the credit still goes to Lorrin for reporting this :).
> passwords and other private data contained in URIs should not be logged in plaintext
> ------------------------------------------------------------------------------------
>
> Key: CAMEL-3099
> URL: https://issues.apache.org/activemq/browse/CAMEL-3099
> Project: Apache Camel
> Issue Type: Improvement
> Components: camel-core
> Reporter: Lorrin Nelson
> Assignee: Hadrian Zbarcea
> Priority: Minor
> Attachments: 0001-Reduce-risk-of-showing-passwords-in-URIs-by-adding-c.patch
>
>
> URIs with sensitive data are common and that URIs are frequently logged. I bumped into this myself most recently with an FTP consumer. I ended up with log messages like this:
> RemoteFileProducer 2010-08-31 16:21:45,459 -- INFO -- Connected and logged in to: Endpoint[sftp://myusername@my.host.name/var/my/path?fileName=myFile.txt&password=yikesMyPassword]
> I propose a sane-defaults patch of modifying DefaultEndoint.java's toString to sanitize the URI by looking for URI params containing the tokens "password" or "passphrase" and rendering their value as "*******" instead of the actual value. Obviously this isn't always the right thing to do in every situation, but it seems appropriate for many endpoints. Any for which it is not appropriate could override toString.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (CAMEL-3099) passwords and other private data
contained in URIs should not be logged in plaintext
Posted by "Claus Ibsen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/CAMEL-3099?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Claus Ibsen resolved CAMEL-3099.
--------------------------------
Fix Version/s: 2.5.0
Resolution: Fixed
Thanks for the patch.
trunk: 992207.
> passwords and other private data contained in URIs should not be logged in plaintext
> ------------------------------------------------------------------------------------
>
> Key: CAMEL-3099
> URL: https://issues.apache.org/activemq/browse/CAMEL-3099
> Project: Apache Camel
> Issue Type: Improvement
> Components: camel-core
> Reporter: Lorrin Nelson
> Assignee: Hadrian Zbarcea
> Priority: Minor
> Fix For: 2.5.0
>
> Attachments: 0001-Reduce-risk-of-showing-passwords-in-URIs-by-adding-c.patch, 0002-Add-unit-testing-to-DefaultEndPoint-toString-changes.patch
>
>
> URIs with sensitive data are common and that URIs are frequently logged. I bumped into this myself most recently with an FTP consumer. I ended up with log messages like this:
> RemoteFileProducer 2010-08-31 16:21:45,459 -- INFO -- Connected and logged in to: Endpoint[sftp://myusername@my.host.name/var/my/path?fileName=myFile.txt&password=yikesMyPassword]
> I propose a sane-defaults patch of modifying DefaultEndoint.java's toString to sanitize the URI by looking for URI params containing the tokens "password" or "passphrase" and rendering their value as "*******" instead of the actual value. Obviously this isn't always the right thing to do in every situation, but it seems appropriate for many endpoints. Any for which it is not appropriate could override toString.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CAMEL-3099) passwords and other private data
contained in URIs should not be logged in plaintext
Posted by "Willem Jiang (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/CAMEL-3099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=61601#action_61601 ]
Willem Jiang commented on CAMEL-3099:
-------------------------------------
@Hadrain,
I think the patch should be fine, as this patch doesn't touch the endpointUri which could be use for the caching the endpoint.
BTW a more general thing is we could support to encrypt these sensible options of the URI.
> passwords and other private data contained in URIs should not be logged in plaintext
> ------------------------------------------------------------------------------------
>
> Key: CAMEL-3099
> URL: https://issues.apache.org/activemq/browse/CAMEL-3099
> Project: Apache Camel
> Issue Type: Improvement
> Components: camel-core
> Reporter: Lorrin Nelson
> Assignee: Hadrian Zbarcea
> Priority: Minor
> Attachments: 0001-Reduce-risk-of-showing-passwords-in-URIs-by-adding-c.patch
>
>
> URIs with sensitive data are common and that URIs are frequently logged. I bumped into this myself most recently with an FTP consumer. I ended up with log messages like this:
> RemoteFileProducer 2010-08-31 16:21:45,459 -- INFO -- Connected and logged in to: Endpoint[sftp://myusername@my.host.name/var/my/path?fileName=myFile.txt&password=yikesMyPassword]
> I propose a sane-defaults patch of modifying DefaultEndoint.java's toString to sanitize the URI by looking for URI params containing the tokens "password" or "passphrase" and rendering their value as "*******" instead of the actual value. Obviously this isn't always the right thing to do in every situation, but it seems appropriate for many endpoints. Any for which it is not appropriate could override toString.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (CAMEL-3099) passwords and other private data
contained in URIs should not be logged in plaintext
Posted by "Hadrian Zbarcea (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/CAMEL-3099?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Hadrian Zbarcea reassigned CAMEL-3099:
--------------------------------------
Assignee: Hadrian Zbarcea
> passwords and other private data contained in URIs should not be logged in plaintext
> ------------------------------------------------------------------------------------
>
> Key: CAMEL-3099
> URL: https://issues.apache.org/activemq/browse/CAMEL-3099
> Project: Apache Camel
> Issue Type: Improvement
> Components: camel-core
> Reporter: Lorrin Nelson
> Assignee: Hadrian Zbarcea
> Priority: Minor
> Attachments: 0001-Reduce-risk-of-showing-passwords-in-URIs-by-adding-c.patch
>
>
> URIs with sensitive data are common and that URIs are frequently logged. I bumped into this myself most recently with an FTP consumer. I ended up with log messages like this:
> RemoteFileProducer 2010-08-31 16:21:45,459 -- INFO -- Connected and logged in to: Endpoint[sftp://myusername@my.host.name/var/my/path?fileName=myFile.txt&password=yikesMyPassword]
> I propose a sane-defaults patch of modifying DefaultEndoint.java's toString to sanitize the URI by looking for URI params containing the tokens "password" or "passphrase" and rendering their value as "*******" instead of the actual value. Obviously this isn't always the right thing to do in every situation, but it seems appropriate for many endpoints. Any for which it is not appropriate could override toString.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CAMEL-3099) passwords and other private data
contained in URIs should not be logged in plaintext
Posted by "Lorrin Nelson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/CAMEL-3099?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lorrin Nelson updated CAMEL-3099:
---------------------------------
Patch Info: [Patch Available]
> passwords and other private data contained in URIs should not be logged in plaintext
> ------------------------------------------------------------------------------------
>
> Key: CAMEL-3099
> URL: https://issues.apache.org/activemq/browse/CAMEL-3099
> Project: Apache Camel
> Issue Type: Improvement
> Components: camel-core
> Reporter: Lorrin Nelson
> Priority: Minor
> Attachments: 0001-Reduce-risk-of-showing-passwords-in-URIs-by-adding-c.patch
>
>
> URIs with sensitive data are common and that URIs are frequently logged. I bumped into this myself most recently with an FTP consumer. I ended up with log messages like this:
> RemoteFileProducer 2010-08-31 16:21:45,459 -- INFO -- Connected and logged in to: Endpoint[sftp://myusername@my.host.name/var/my/path?fileName=myFile.txt&password=yikesMyPassword]
> I propose a sane-defaults patch of modifying DefaultEndoint.java's toString to sanitize the URI by looking for URI params containing the tokens "password" or "passphrase" and rendering their value as "*******" instead of the actual value. Obviously this isn't always the right thing to do in every situation, but it seems appropriate for many endpoints. Any for which it is not appropriate could override toString.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CAMEL-3099) passwords and other private data
contained in URIs should not be logged in plaintext
Posted by "Hadrian Zbarcea (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/CAMEL-3099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=61625#action_61625 ]
Hadrian Zbarcea commented on CAMEL-3099:
----------------------------------------
@Lorrin, fair point.
> passwords and other private data contained in URIs should not be logged in plaintext
> ------------------------------------------------------------------------------------
>
> Key: CAMEL-3099
> URL: https://issues.apache.org/activemq/browse/CAMEL-3099
> Project: Apache Camel
> Issue Type: Improvement
> Components: camel-core
> Reporter: Lorrin Nelson
> Assignee: Hadrian Zbarcea
> Priority: Minor
> Attachments: 0001-Reduce-risk-of-showing-passwords-in-URIs-by-adding-c.patch
>
>
> URIs with sensitive data are common and that URIs are frequently logged. I bumped into this myself most recently with an FTP consumer. I ended up with log messages like this:
> RemoteFileProducer 2010-08-31 16:21:45,459 -- INFO -- Connected and logged in to: Endpoint[sftp://myusername@my.host.name/var/my/path?fileName=myFile.txt&password=yikesMyPassword]
> I propose a sane-defaults patch of modifying DefaultEndoint.java's toString to sanitize the URI by looking for URI params containing the tokens "password" or "passphrase" and rendering their value as "*******" instead of the actual value. Obviously this isn't always the right thing to do in every situation, but it seems appropriate for many endpoints. Any for which it is not appropriate could override toString.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CAMEL-3099) passwords and other private data
contained in URIs should not be logged in plaintext
Posted by "Lorrin Nelson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/CAMEL-3099?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lorrin Nelson updated CAMEL-3099:
---------------------------------
Attachment: 0001-Reduce-risk-of-showing-passwords-in-URIs-by-adding-c.patch
proposed patch.
> passwords and other private data contained in URIs should not be logged in plaintext
> ------------------------------------------------------------------------------------
>
> Key: CAMEL-3099
> URL: https://issues.apache.org/activemq/browse/CAMEL-3099
> Project: Apache Camel
> Issue Type: Improvement
> Components: camel-core
> Reporter: Lorrin Nelson
> Priority: Minor
> Attachments: 0001-Reduce-risk-of-showing-passwords-in-URIs-by-adding-c.patch
>
>
> URIs with sensitive data are common and that URIs are frequently logged. I bumped into this myself most recently with an FTP consumer. I ended up with log messages like this:
> RemoteFileProducer 2010-08-31 16:21:45,459 -- INFO -- Connected and logged in to: Endpoint[sftp://myusername@my.host.name/var/my/path?fileName=myFile.txt&password=yikesMyPassword]
> I propose a sane-defaults patch of modifying DefaultEndoint.java's toString to sanitize the URI by looking for URI params containing the tokens "password" or "passphrase" and rendering their value as "*******" instead of the actual value. Obviously this isn't always the right thing to do in every situation, but it seems appropriate for many endpoints. Any for which it is not appropriate could override toString.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CAMEL-3099) passwords and other private data
contained in URIs should not be logged in plaintext
Posted by "Claus Ibsen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/CAMEL-3099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=61626#action_61626 ]
Claus Ibsen commented on CAMEL-3099:
------------------------------------
Looks okay since its only in the {{toString}} method and hence wont affect any internal logic which leverages {{endpointUri}} or {{endpointKey}}.
Would like to have that reg exp unit test though. So if the patch could add tests which ensures the reg exp does as expected.
And obviously that import of sun internal class should not be included.
Camel should also compile on IBM and other JDKs
> passwords and other private data contained in URIs should not be logged in plaintext
> ------------------------------------------------------------------------------------
>
> Key: CAMEL-3099
> URL: https://issues.apache.org/activemq/browse/CAMEL-3099
> Project: Apache Camel
> Issue Type: Improvement
> Components: camel-core
> Reporter: Lorrin Nelson
> Assignee: Hadrian Zbarcea
> Priority: Minor
> Attachments: 0001-Reduce-risk-of-showing-passwords-in-URIs-by-adding-c.patch
>
>
> URIs with sensitive data are common and that URIs are frequently logged. I bumped into this myself most recently with an FTP consumer. I ended up with log messages like this:
> RemoteFileProducer 2010-08-31 16:21:45,459 -- INFO -- Connected and logged in to: Endpoint[sftp://myusername@my.host.name/var/my/path?fileName=myFile.txt&password=yikesMyPassword]
> I propose a sane-defaults patch of modifying DefaultEndoint.java's toString to sanitize the URI by looking for URI params containing the tokens "password" or "passphrase" and rendering their value as "*******" instead of the actual value. Obviously this isn't always the right thing to do in every situation, but it seems appropriate for many endpoints. Any for which it is not appropriate could override toString.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CAMEL-3099) passwords and other private data
contained in URIs should not be logged in plaintext
Posted by "Lorrin Nelson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/CAMEL-3099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=61606#action_61606 ]
Lorrin Nelson commented on CAMEL-3099:
--------------------------------------
Hi Hadrian, thanks for giving this prompt attention.
I think it is better to censor the values of the secret fields rather than strip them completely. When you're debugging you often want to know what fields were supplied. Stripping them completely will create confusion.
> passwords and other private data contained in URIs should not be logged in plaintext
> ------------------------------------------------------------------------------------
>
> Key: CAMEL-3099
> URL: https://issues.apache.org/activemq/browse/CAMEL-3099
> Project: Apache Camel
> Issue Type: Improvement
> Components: camel-core
> Reporter: Lorrin Nelson
> Assignee: Hadrian Zbarcea
> Priority: Minor
> Attachments: 0001-Reduce-risk-of-showing-passwords-in-URIs-by-adding-c.patch
>
>
> URIs with sensitive data are common and that URIs are frequently logged. I bumped into this myself most recently with an FTP consumer. I ended up with log messages like this:
> RemoteFileProducer 2010-08-31 16:21:45,459 -- INFO -- Connected and logged in to: Endpoint[sftp://myusername@my.host.name/var/my/path?fileName=myFile.txt&password=yikesMyPassword]
> I propose a sane-defaults patch of modifying DefaultEndoint.java's toString to sanitize the URI by looking for URI params containing the tokens "password" or "passphrase" and rendering their value as "*******" instead of the actual value. Obviously this isn't always the right thing to do in every situation, but it seems appropriate for many endpoints. Any for which it is not appropriate could override toString.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CAMEL-3099) passwords and other private data
contained in URIs should not be logged in plaintext
Posted by "Lorrin Nelson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/CAMEL-3099?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lorrin Nelson updated CAMEL-3099:
---------------------------------
Attachment: 0002-Add-unit-testing-to-DefaultEndPoint-toString-changes.patch
This patch adds unit tests. It also cleans up the errant imports. Rather than copy the regex I factored out execution of the regex into a helper method and unit test that.
> passwords and other private data contained in URIs should not be logged in plaintext
> ------------------------------------------------------------------------------------
>
> Key: CAMEL-3099
> URL: https://issues.apache.org/activemq/browse/CAMEL-3099
> Project: Apache Camel
> Issue Type: Improvement
> Components: camel-core
> Reporter: Lorrin Nelson
> Assignee: Hadrian Zbarcea
> Priority: Minor
> Attachments: 0001-Reduce-risk-of-showing-passwords-in-URIs-by-adding-c.patch, 0002-Add-unit-testing-to-DefaultEndPoint-toString-changes.patch
>
>
> URIs with sensitive data are common and that URIs are frequently logged. I bumped into this myself most recently with an FTP consumer. I ended up with log messages like this:
> RemoteFileProducer 2010-08-31 16:21:45,459 -- INFO -- Connected and logged in to: Endpoint[sftp://myusername@my.host.name/var/my/path?fileName=myFile.txt&password=yikesMyPassword]
> I propose a sane-defaults patch of modifying DefaultEndoint.java's toString to sanitize the URI by looking for URI params containing the tokens "password" or "passphrase" and rendering their value as "*******" instead of the actual value. Obviously this isn't always the right thing to do in every situation, but it seems appropriate for many endpoints. Any for which it is not appropriate could override toString.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CAMEL-3099) passwords and other private data
contained in URIs should not be logged in plaintext
Posted by "Hadrian Zbarcea (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/activemq/browse/CAMEL-3099?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=61600#action_61600 ]
Hadrian Zbarcea commented on CAMEL-3099:
----------------------------------------
Thanks for reporting this and thanks for the patch. While your patch does the job, let me look a bit into a more general solution.
> passwords and other private data contained in URIs should not be logged in plaintext
> ------------------------------------------------------------------------------------
>
> Key: CAMEL-3099
> URL: https://issues.apache.org/activemq/browse/CAMEL-3099
> Project: Apache Camel
> Issue Type: Improvement
> Components: camel-core
> Reporter: Lorrin Nelson
> Assignee: Hadrian Zbarcea
> Priority: Minor
> Attachments: 0001-Reduce-risk-of-showing-passwords-in-URIs-by-adding-c.patch
>
>
> URIs with sensitive data are common and that URIs are frequently logged. I bumped into this myself most recently with an FTP consumer. I ended up with log messages like this:
> RemoteFileProducer 2010-08-31 16:21:45,459 -- INFO -- Connected and logged in to: Endpoint[sftp://myusername@my.host.name/var/my/path?fileName=myFile.txt&password=yikesMyPassword]
> I propose a sane-defaults patch of modifying DefaultEndoint.java's toString to sanitize the URI by looking for URI params containing the tokens "password" or "passphrase" and rendering their value as "*******" instead of the actual value. Obviously this isn't always the right thing to do in every situation, but it seems appropriate for many endpoints. Any for which it is not appropriate could override toString.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.