You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "Frank (JIRA)" <ji...@apache.org> on 2009/01/03 18:39:44 UTC

[jira] Updated: (VFS-169) Thrown exception reveals passwords

     [ https://issues.apache.org/jira/browse/VFS-169?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Frank updated VFS-169:
----------------------

    Attachment: vfs-pwd.patch

This patch is a very local fix, that only changes the toString() method. I would prefer that the password would not be returned on methods like getURI either, but this has big implications on the whole URI parsing. The TODO in DefaultFileSystemManager.resolveName(FileName,String,NameScope) first has to be implemented to allow the URI parser to work on relative paths.

> Thrown exception reveals passwords
> ----------------------------------
>
>                 Key: VFS-169
>                 URL: https://issues.apache.org/jira/browse/VFS-169
>             Project: Commons VFS
>          Issue Type: Bug
>    Affects Versions: 1.0
>            Reporter: Joerg Schaible
>         Attachments: vfs-pwd.patch
>
>
> If an exception occurs accessing a FileObject on a FileSystem that is addressed with an URL containing user and password the thrown exception contains the password as part of the error message:
> org.apache.commons.vfs.FileSystemException: Could not connect to SFTP server at "sftp://user:password@apache.org/".
> In such a case the URL should be printed as "sftp://user:***@apache.org/". Same applied to log messages - at least for INFO and higher.
> This is a security risk, since in big companies exceptions and logs are normally collected and archived in monitoring systems and may reveal the password to persons that have normally no authorization to the target system.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.