You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "Antonin Stefanutti (JIRA)" <ji...@apache.org> on 2012/07/22 16:56:33 UTC

[jira] [Created] (VFS-430) The SoftRefFilesCache logs clear text password

Antonin Stefanutti created VFS-430:
--------------------------------------

             Summary: The SoftRefFilesCache logs clear text password
                 Key: VFS-430
                 URL: https://issues.apache.org/jira/browse/VFS-430
             Project: Commons VFS
          Issue Type: Bug
    Affects Versions: 2.0
            Reporter: Antonin Stefanutti
             Fix For: 2.1


The {{org.apache.commons.vfs2.cache.SoftRefFilesCache}} class logs {{FileName}} in the {{putFile}} method with the {{FileName.toString()}} that returns URL with clear password while it should be using the {{FileName.getFriendlyURI()}} method.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (VFS-430) The SoftRefFilesCache class logs clear text password

Posted by "Gary D. Gregory (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/VFS-430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13420260#comment-13420260 ] 

Gary D. Gregory commented on VFS-430:
-------------------------------------

Thank you for report. Would you care to provide a patch, prefferably with a unit test?
                
> The SoftRefFilesCache class logs clear text password
> ----------------------------------------------------
>
>                 Key: VFS-430
>                 URL: https://issues.apache.org/jira/browse/VFS-430
>             Project: Commons VFS
>          Issue Type: Bug
>    Affects Versions: 2.0
>            Reporter: Antonin Stefanutti
>             Fix For: 2.1
>
>
> The {{org.apache.commons.vfs2.cache.SoftRefFilesCache}} class logs {{FileName}} in the {{putFile}} method with the {{FileName.toString()}} that returns URL with clear password while it should be using the {{FileName.getFriendlyURI()}} method.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Resolved] (VFS-430) The SoftRefFilesCache class logs clear text password

Posted by "Gary D. Gregory (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/VFS-430?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Gary D. Gregory resolved VFS-430.
---------------------------------

    Resolution: Fixed

Committed revision 1364490.
                
> The SoftRefFilesCache class logs clear text password
> ----------------------------------------------------
>
>                 Key: VFS-430
>                 URL: https://issues.apache.org/jira/browse/VFS-430
>             Project: Commons VFS
>          Issue Type: Bug
>    Affects Versions: 2.0
>            Reporter: Antonin Stefanutti
>             Fix For: 2.1
>
>
> The {{org.apache.commons.vfs2.cache.SoftRefFilesCache}} class logs {{FileName}} in the {{putFile}} method with the {{FileName.toString()}} that returns URL with clear password while it should be using the {{FileName.getFriendlyURI()}} method.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Updated] (VFS-430) The SoftRefFilesCache class logs clear text password

Posted by "Antonin Stefanutti (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/VFS-430?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Antonin Stefanutti updated VFS-430:
-----------------------------------

    Summary: The SoftRefFilesCache class logs clear text password  (was: The SoftRefFilesCache logs clear text password)
    
> The SoftRefFilesCache class logs clear text password
> ----------------------------------------------------
>
>                 Key: VFS-430
>                 URL: https://issues.apache.org/jira/browse/VFS-430
>             Project: Commons VFS
>          Issue Type: Bug
>    Affects Versions: 2.0
>            Reporter: Antonin Stefanutti
>             Fix For: 2.1
>
>
> The {{org.apache.commons.vfs2.cache.SoftRefFilesCache}} class logs {{FileName}} in the {{putFile}} method with the {{FileName.toString()}} that returns URL with clear password while it should be using the {{FileName.getFriendlyURI()}} method.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (VFS-430) The SoftRefFilesCache class logs clear text password

Posted by "Gary D. Gregory (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/VFS-430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13420767#comment-13420767 ] 

Gary D. Gregory commented on VFS-430:
-------------------------------------

Good suggestion but I wonder if some callers /expect/ the password to be there... might be tricky to check because you'd need to see if a FileName is used in a String expression.
                
> The SoftRefFilesCache class logs clear text password
> ----------------------------------------------------
>
>                 Key: VFS-430
>                 URL: https://issues.apache.org/jira/browse/VFS-430
>             Project: Commons VFS
>          Issue Type: Bug
>    Affects Versions: 2.0
>            Reporter: Antonin Stefanutti
>             Fix For: 2.1
>
>
> The {{org.apache.commons.vfs2.cache.SoftRefFilesCache}} class logs {{FileName}} in the {{putFile}} method with the {{FileName.toString()}} that returns URL with clear password while it should be using the {{FileName.getFriendlyURI()}} method.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (VFS-430) The SoftRefFilesCache class logs clear text password

Posted by "Gary D. Gregory (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/VFS-430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13420451#comment-13420451 ] 

Gary D. Gregory commented on VFS-430:
-------------------------------------

Do you know of other places where the password shows up in the log?
                
> The SoftRefFilesCache class logs clear text password
> ----------------------------------------------------
>
>                 Key: VFS-430
>                 URL: https://issues.apache.org/jira/browse/VFS-430
>             Project: Commons VFS
>          Issue Type: Bug
>    Affects Versions: 2.0
>            Reporter: Antonin Stefanutti
>             Fix For: 2.1
>
>
> The {{org.apache.commons.vfs2.cache.SoftRefFilesCache}} class logs {{FileName}} in the {{putFile}} method with the {{FileName.toString()}} that returns URL with clear password while it should be using the {{FileName.getFriendlyURI()}} method.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (VFS-430) The SoftRefFilesCache class logs clear text password

Posted by "Antonin Stefanutti (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/VFS-430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13420817#comment-13420817 ] 

Antonin Stefanutti commented on VFS-430:
----------------------------------------

I would rather be defensive in that sensitive case and make sure that clear type password isn't logged inadvertently. But you're right that might break somehow the behavior of the API.
                
> The SoftRefFilesCache class logs clear text password
> ----------------------------------------------------
>
>                 Key: VFS-430
>                 URL: https://issues.apache.org/jira/browse/VFS-430
>             Project: Commons VFS
>          Issue Type: Bug
>    Affects Versions: 2.0
>            Reporter: Antonin Stefanutti
>             Fix For: 2.1
>
>
> The {{org.apache.commons.vfs2.cache.SoftRefFilesCache}} class logs {{FileName}} in the {{putFile}} method with the {{FileName.toString()}} that returns URL with clear password while it should be using the {{FileName.getFriendlyURI()}} method.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (VFS-430) The SoftRefFilesCache class logs clear text password

Posted by "Antonin Stefanutti (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/VFS-430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13420757#comment-13420757 ] 

Antonin Stefanutti commented on VFS-430:
----------------------------------------

I don't know any other places. I'll let you know if I stumble upon new places during my development tests.

One suggestion would be to update the {{FileName.toString()}} implementation by relying on the {{FileName.getFriendlyURI()}}. That would prevent the logging of clear text password inadvertently.
                
> The SoftRefFilesCache class logs clear text password
> ----------------------------------------------------
>
>                 Key: VFS-430
>                 URL: https://issues.apache.org/jira/browse/VFS-430
>             Project: Commons VFS
>          Issue Type: Bug
>    Affects Versions: 2.0
>            Reporter: Antonin Stefanutti
>             Fix For: 2.1
>
>
> The {{org.apache.commons.vfs2.cache.SoftRefFilesCache}} class logs {{FileName}} in the {{putFile}} method with the {{FileName.toString()}} that returns URL with clear password while it should be using the {{FileName.getFriendlyURI()}} method.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira