You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by tr...@apache.org on 2017/04/26 08:27:02 UTC
svn commit: r1792710 - in /jackrabbit/commons/filevault/trunk/vault-core/src:
main/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddress.java
test/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddressTest.java
Author: tripod
Date: Wed Apr 26 08:27:02 2017
New Revision: 1792710
URL: http://svn.apache.org/viewvc?rev=1792710&view=rev
Log:
JCRVLT-175 Ensure RcpTask is clearing out sensitive data in toString statement
Modified:
jackrabbit/commons/filevault/trunk/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddress.java
jackrabbit/commons/filevault/trunk/vault-core/src/test/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddressTest.java
Modified: jackrabbit/commons/filevault/trunk/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddress.java
URL: http://svn.apache.org/viewvc/jackrabbit/commons/filevault/trunk/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddress.java?rev=1792710&r1=1792709&r2=1792710&view=diff
==============================================================================
--- jackrabbit/commons/filevault/trunk/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddress.java (original)
+++ jackrabbit/commons/filevault/trunk/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddress.java Wed Apr 26 08:27:02 2017
@@ -280,12 +280,18 @@ public class RepositoryAddress {
/**
* {@inheritDoc}
*
- * @return same as {@link #getURI() getURI().toString()}
+ * @return same as {@link #getURI() getURI().toString()} with obfuscated user info
*/
@Override
@Nonnull
public String toString() {
- return getURI().toString();
+ final URI uri = getURI();
+ final String userInfo = uri.getRawUserInfo();
+ if (userInfo != null) {
+ return uri.toString().replace(userInfo, "******:******");
+ } else {
+ return uri.toString();
+ }
}
/**
@@ -372,4 +378,4 @@ public class RepositoryAddress {
}
-}
\ No newline at end of file
+}
Modified: jackrabbit/commons/filevault/trunk/vault-core/src/test/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddressTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/commons/filevault/trunk/vault-core/src/test/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddressTest.java?rev=1792710&r1=1792709&r2=1792710&view=diff
==============================================================================
--- jackrabbit/commons/filevault/trunk/vault-core/src/test/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddressTest.java (original)
+++ jackrabbit/commons/filevault/trunk/vault-core/src/test/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddressTest.java Wed Apr 26 08:27:02 2017
@@ -17,6 +17,10 @@
package org.apache.jackrabbit.vault.fs.api;
+import javax.jcr.SimpleCredentials;
+
+import org.apache.jackrabbit.vault.util.Text;
+
import junit.framework.TestCase;
/**
@@ -370,4 +374,31 @@ public class RepositoryAddressTest exten
RepositoryAddress ra1 = new RepositoryAddress(ra.getURI());
assertEquals("uri", uri, ra1.getURI().toString());
}
+
+ public void testToStringHttpWithUserInfo() throws Exception {
+ String creds = "foo:bar";
+ RepositoryAddress ra = new RepositoryAddress("http://" + creds + "@localhost:8080/-/jcr:root");
+
+ String toString = ra.toString();
+ assertFalse("toString should not contain credentials [" + toString + "]", toString.contains(creds));
+ }
+
+ public void testToStringHttpWithUserInfoEscaped() throws Exception {
+ String creds = "my-user:" + Text.escape("p!@#$%^&*ass");
+ RepositoryAddress ra = new RepositoryAddress("http://" + creds + "@localhost:8080/-/jcr:root");
+
+ String toString = ra.toString();
+ assertFalse("toString should not contain credentials [" + toString + "]", toString.contains(creds));
+ }
+
+ public void testGetCredentials() throws Exception {
+ String user = "my-user";
+ String password = "p!@#$%^&*ass";
+ String creds = Text.escape(user + ":" + password);
+ RepositoryAddress ra = new RepositoryAddress("http://" + creds + "@localhost:8080/-/jcr:root");
+
+ SimpleCredentials sc = (SimpleCredentials) ra.getCredentials();
+ assertEquals("userId", user, sc.getUserID());
+ assertEquals("password", password, new String(sc.getPassword()));
+ }
}
\ No newline at end of file