You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Antonin Stefanutti (JIRA)" <ji...@apache.org> on 2012/07/22 16:56:33 UTC
[jira] [Created] (VFS-430) The SoftRefFilesCache logs clear text
password
Antonin Stefanutti created VFS-430:
--------------------------------------
Summary: The SoftRefFilesCache logs clear text password
Key: VFS-430
URL: https://issues.apache.org/jira/browse/VFS-430
Project: Commons VFS
Issue Type: Bug
Affects Versions: 2.0
Reporter: Antonin Stefanutti
Fix For: 2.1
The {{org.apache.commons.vfs2.cache.SoftRefFilesCache}} class logs {{FileName}} in the {{putFile}} method with the {{FileName.toString()}} that returns URL with clear password while it should be using the {{FileName.getFriendlyURI()}} method.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (VFS-430) The SoftRefFilesCache class logs clear
text password
Posted by "Gary D. Gregory (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/VFS-430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13420260#comment-13420260 ]
Gary D. Gregory commented on VFS-430:
-------------------------------------
Thank you for report. Would you care to provide a patch, prefferably with a unit test?
> The SoftRefFilesCache class logs clear text password
> ----------------------------------------------------
>
> Key: VFS-430
> URL: https://issues.apache.org/jira/browse/VFS-430
> Project: Commons VFS
> Issue Type: Bug
> Affects Versions: 2.0
> Reporter: Antonin Stefanutti
> Fix For: 2.1
>
>
> The {{org.apache.commons.vfs2.cache.SoftRefFilesCache}} class logs {{FileName}} in the {{putFile}} method with the {{FileName.toString()}} that returns URL with clear password while it should be using the {{FileName.getFriendlyURI()}} method.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (VFS-430) The SoftRefFilesCache class logs clear
text password
Posted by "Gary D. Gregory (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/VFS-430?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gary D. Gregory resolved VFS-430.
---------------------------------
Resolution: Fixed
Committed revision 1364490.
> The SoftRefFilesCache class logs clear text password
> ----------------------------------------------------
>
> Key: VFS-430
> URL: https://issues.apache.org/jira/browse/VFS-430
> Project: Commons VFS
> Issue Type: Bug
> Affects Versions: 2.0
> Reporter: Antonin Stefanutti
> Fix For: 2.1
>
>
> The {{org.apache.commons.vfs2.cache.SoftRefFilesCache}} class logs {{FileName}} in the {{putFile}} method with the {{FileName.toString()}} that returns URL with clear password while it should be using the {{FileName.getFriendlyURI()}} method.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (VFS-430) The SoftRefFilesCache class logs clear
text password
Posted by "Antonin Stefanutti (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/VFS-430?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Antonin Stefanutti updated VFS-430:
-----------------------------------
Summary: The SoftRefFilesCache class logs clear text password (was: The SoftRefFilesCache logs clear text password)
> The SoftRefFilesCache class logs clear text password
> ----------------------------------------------------
>
> Key: VFS-430
> URL: https://issues.apache.org/jira/browse/VFS-430
> Project: Commons VFS
> Issue Type: Bug
> Affects Versions: 2.0
> Reporter: Antonin Stefanutti
> Fix For: 2.1
>
>
> The {{org.apache.commons.vfs2.cache.SoftRefFilesCache}} class logs {{FileName}} in the {{putFile}} method with the {{FileName.toString()}} that returns URL with clear password while it should be using the {{FileName.getFriendlyURI()}} method.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (VFS-430) The SoftRefFilesCache class logs clear
text password
Posted by "Gary D. Gregory (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/VFS-430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13420767#comment-13420767 ]
Gary D. Gregory commented on VFS-430:
-------------------------------------
Good suggestion but I wonder if some callers /expect/ the password to be there... might be tricky to check because you'd need to see if a FileName is used in a String expression.
> The SoftRefFilesCache class logs clear text password
> ----------------------------------------------------
>
> Key: VFS-430
> URL: https://issues.apache.org/jira/browse/VFS-430
> Project: Commons VFS
> Issue Type: Bug
> Affects Versions: 2.0
> Reporter: Antonin Stefanutti
> Fix For: 2.1
>
>
> The {{org.apache.commons.vfs2.cache.SoftRefFilesCache}} class logs {{FileName}} in the {{putFile}} method with the {{FileName.toString()}} that returns URL with clear password while it should be using the {{FileName.getFriendlyURI()}} method.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (VFS-430) The SoftRefFilesCache class logs clear
text password
Posted by "Gary D. Gregory (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/VFS-430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13420451#comment-13420451 ]
Gary D. Gregory commented on VFS-430:
-------------------------------------
Do you know of other places where the password shows up in the log?
> The SoftRefFilesCache class logs clear text password
> ----------------------------------------------------
>
> Key: VFS-430
> URL: https://issues.apache.org/jira/browse/VFS-430
> Project: Commons VFS
> Issue Type: Bug
> Affects Versions: 2.0
> Reporter: Antonin Stefanutti
> Fix For: 2.1
>
>
> The {{org.apache.commons.vfs2.cache.SoftRefFilesCache}} class logs {{FileName}} in the {{putFile}} method with the {{FileName.toString()}} that returns URL with clear password while it should be using the {{FileName.getFriendlyURI()}} method.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (VFS-430) The SoftRefFilesCache class logs clear
text password
Posted by "Antonin Stefanutti (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/VFS-430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13420817#comment-13420817 ]
Antonin Stefanutti commented on VFS-430:
----------------------------------------
I would rather be defensive in that sensitive case and make sure that clear type password isn't logged inadvertently. But you're right that might break somehow the behavior of the API.
> The SoftRefFilesCache class logs clear text password
> ----------------------------------------------------
>
> Key: VFS-430
> URL: https://issues.apache.org/jira/browse/VFS-430
> Project: Commons VFS
> Issue Type: Bug
> Affects Versions: 2.0
> Reporter: Antonin Stefanutti
> Fix For: 2.1
>
>
> The {{org.apache.commons.vfs2.cache.SoftRefFilesCache}} class logs {{FileName}} in the {{putFile}} method with the {{FileName.toString()}} that returns URL with clear password while it should be using the {{FileName.getFriendlyURI()}} method.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (VFS-430) The SoftRefFilesCache class logs clear
text password
Posted by "Antonin Stefanutti (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/VFS-430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13420757#comment-13420757 ]
Antonin Stefanutti commented on VFS-430:
----------------------------------------
I don't know any other places. I'll let you know if I stumble upon new places during my development tests.
One suggestion would be to update the {{FileName.toString()}} implementation by relying on the {{FileName.getFriendlyURI()}}. That would prevent the logging of clear text password inadvertently.
> The SoftRefFilesCache class logs clear text password
> ----------------------------------------------------
>
> Key: VFS-430
> URL: https://issues.apache.org/jira/browse/VFS-430
> Project: Commons VFS
> Issue Type: Bug
> Affects Versions: 2.0
> Reporter: Antonin Stefanutti
> Fix For: 2.1
>
>
> The {{org.apache.commons.vfs2.cache.SoftRefFilesCache}} class logs {{FileName}} in the {{putFile}} method with the {{FileName.toString()}} that returns URL with clear password while it should be using the {{FileName.getFriendlyURI()}} method.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira