You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Emmanuel Lecharny (JIRA)" <ji...@apache.org> on 2014/07/29 06:15:38 UTC
[jira] [Resolved] (DIRAPI-197) When dumping a BindRequest, the
password is exposed
[ https://issues.apache.org/jira/browse/DIRAPI-197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Emmanuel Lecharny resolved DIRAPI-197.
--------------------------------------
Resolution: Fixed
Fixed with http://svn.apache.org/r1612859
> When dumping a BindRequest, the password is exposed
> ---------------------------------------------------
>
> Key: DIRAPI-197
> URL: https://issues.apache.org/jira/browse/DIRAPI-197
> Project: Directory Client API
> Issue Type: Bug
> Affects Versions: 1.0.0-M23
> Reporter: Emmanuel Lecharny
> Priority: Blocker
> Fix For: 1.0.0-M24
>
>
> The BindRequestImpl.toString() metjod does print the password when in Simple mode (it's not the case when using SASL) :
> {code:java}
> if ( isSimple )
> {
> sb.append( " Simple authentication : '" ).append( Strings.utf8ToString( credentials ) )
> .append( '/' ).append( Strings.dumpBytes( credentials ) ).append( "'\n" );
> }
> else
> {
> sb.append( " Sasl credentials\n" );
> sb.append( " Mechanism :'" ).append( mechanism ).append( "'\n" );
> if ( credentials == null )
> {
> sb.append( " Credentials : null" );
> }
> else
> {
> sb.append( " Credentials : (omitted-for-safety)" );
> }
> {code}
> This is absolutely wrong...
--
This message was sent by Atlassian JIRA
(v6.2#6252)