You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "Keith Wall (JIRA)" <ji...@apache.org> on 2015/04/23 11:31:38 UTC

[jira] [Created] (QPID-6506) PropertiesFileInitialContextFactory pollutes system properties with values that may contain passwords

Keith Wall created QPID-6506:
--------------------------------

             Summary: PropertiesFileInitialContextFactory pollutes system properties with values that may contain passwords
                 Key: QPID-6506
                 URL: https://issues.apache.org/jira/browse/QPID-6506
             Project: Qpid
          Issue Type: Bug
          Components: 0.8, 0.32
            Reporter: Keith Wall
            Priority: Minor


The current implementation of PropertiesFileInitialContextFactory sets each property key encountered in the properties file as a system property (providing a system property with the same name does not already exist).

 It is not uncommon for applications or frameworks to log all system properties to aid diagnostics.  If such an application were to include the Qpid client, such logging may include connection urls and thus may include passwords in the clear too.

It seems difficult to justify why the PropertiesFileInitialContextFactory should behave in this way.  To me, it does not obviously support a end user use-case.  The commit comment goes back six years and seems to include a change made to help testing.

Change PropertiesFileInitialContextFactory so that it no longer alters the system properties.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org