You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2013/02/22 17:37:23 UTC
[Bug 54599] New: DataSource password is exposed to applications via
toString method
https://issues.apache.org/bugzilla/show_bug.cgi?id=54599
Bug ID: 54599
Summary: DataSource password is exposed to applications via
toString method
Product: Tomcat Modules
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: minor
Priority: P2
Component: jdbc-pool
Assignee: dev@tomcat.apache.org
Reporter: dmikusa@vmware.com
Classification: Unclassified
On the server side, create a DataSource using
"org.apache.tomcat.jdbc.pool.DataSourceFactory".
Ex:
<Resource auth="Container"
description=""
name="jdbc/testTomcatJdbc"
factory="org.apache.tomcat.jdbc.pool.DataSourceFactory"
type="javax.sql.DataSource"
username="sa"
password="super-secret"
driverClassName="org.h2.Driver"
url="jdbc:h2:mem:test"
minIdle="1"
initialSize="1" />
In a web application, create a JSP file, add the following:
<%@ page import="javax.naming.*" session="false" %>
<!DOCTYPE HTML>
<html>
<head>
<title>Display Password!</title>
</head>
<body>
<h1>toString for Tomcat JDBC</h1>
<%
dataSource = (javax.sql.DataSource)
ctx.lookup("java:/comp/env/jdbc/testTomcatJdbc");
out.println("<p>" + dataSource.toString() + "</p>");
%>
</body>
</html>
Access the JSP in your browser. The output from toString on the DataSource
will display the password that was configured in the <Resource/> tag.
Example Output:
toString for Tomcat JDBC
org.apache.tomcat.jdbc.pool.DataSource@75cae120{ConnectionPool[defaultAutoCommit=null;
defaultReadOnly=null; defaultTransactionIsolation=-1; defaultCatalog=null;
driverClassName=org.h2.Driver; maxActive=100; maxIdle=100; minIdle=1;
initialSize=1; maxWait=30000; testOnBorrow=false; testOnReturn=false;
timeBetweenEvictionRunsMillis=5000; numTestsPerEvictionRun=0;
minEvictableIdleTimeMillis=60000; testWhileIdle=false; testOnConnect=false;
password=super-secret; url=jdbc:h2:mem:test; username=sa; validationQuery=null;
validatorClassName=null; validationInterval=30000;
accessToUnderlyingConnectionAllowed=true; removeAbandoned=false;
removeAbandonedTimeout=60; logAbandoned=false; connectionProperties=null;
initSQL=null; jdbcInterceptors=null; jmxEnabled=true; fairQueue=true;
useEquals=true; abandonWhenPercentageFull=0; maxAge=0; useLock=false;
dataSource=null; dataSourceJNDI=null; suspectTimeout=0;
alternateUsernameAllowed=false; commitOnReturn=false; rollbackOnReturn=false;
useDisposableConnectionFacade=true; logValidationErrors=false;
propagateInterruptState=false; }
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 54599] DataSource password is exposed to applications via
toString method
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54599
Martin Lichtin <li...@yahoo.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |lichtin@yahoo.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 54599] DataSource password is exposed to applications via
toString method
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54599
Konstantin Kolinko <kn...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #2 from Konstantin Kolinko <kn...@gmail.com> ---
Thank you for the patch.
Fixed by r1459683 and will be in 7.0.39.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 54599] DataSource password is exposed to applications via
toString method
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54599
--- Comment #1 from Daniel Mikusa <dm...@vmware.com> ---
Created attachment 29983
--> https://issues.apache.org/bugzilla/attachment.cgi?id=29983&action=edit
Patch
Attaching a simple patch to mask the password in toString.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 54599] DataSource password is exposed to applications via
toString method
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54599
--- Comment #3 from Jackie Rosen <ja...@hushmail.com> ---
*** Bug 260998 has been marked as a duplicate of this bug. ***
Seen from the domain http://volichat.com
Page where seen: http://volichat.com/adult-chat-rooms
Marked for reference. Resolved as fixed @bugzilla.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org