You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by de...@apache.org on 2014/09/12 12:00:38 UTC

git commit: updated refs/heads/master to d90a2d3

Repository: cloudstack
Updated Branches:
  refs/heads/master fa1156092 -> d90a2d396


CLOUDSTACK-7370: Fixed password visible in plain text if password passed is in the end in url


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/d90a2d39
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/d90a2d39
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/d90a2d39

Branch: refs/heads/master
Commit: d90a2d39626938e8291b536902fb3e520e1284fe
Parents: fa11560
Author: Anshul Gangwar <an...@citrix.com>
Authored: Tue Aug 19 14:17:21 2014 +0530
Committer: Devdeep Singh <de...@gmail.com>
Committed: Fri Sep 12 15:33:24 2014 +0530

----------------------------------------------------------------------
 utils/src/com/cloud/utils/StringUtils.java | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/d90a2d39/utils/src/com/cloud/utils/StringUtils.java
----------------------------------------------------------------------
diff --git a/utils/src/com/cloud/utils/StringUtils.java b/utils/src/com/cloud/utils/StringUtils.java
index 17b8fc0..7014e5c 100644
--- a/utils/src/com/cloud/utils/StringUtils.java
+++ b/utils/src/com/cloud/utils/StringUtils.java
@@ -159,7 +159,9 @@ public class StringUtils {
     }
 
     // removes a password request param and it's value, also considering password is in query parameter value which has been url encoded
-    private static final Pattern REGEX_PASSWORD_QUERYSTRING = Pattern.compile("(&|%26)?((p|P)assword|accesskey|secretkey)(=|%3D).*?(?=(%26|[&'\"]))");
+    private static final Pattern REGEX_PASSWORD_QUERYSTRING = Pattern.compile("(&|%26)?[^(&|%26)]*((p|P)assword|accesskey|secretkey)(=|%3D).*?(?=(%26|[&'\"]))");
+
+    private static final Pattern REGEX_END_PASSWORD_QUERYSTRING = Pattern.compile("(&|%26)[^(&|%26)]*((p|P)assword|accesskey|secretkey)(=|%3D).*");
 
     // removes a password/accesskey/ property from a response json object
     private static final Pattern REGEX_PASSWORD_JSON = Pattern.compile("\"((p|P)assword|accesskey|secretkey)\":\\s?\".*?\",?");
@@ -175,6 +177,7 @@ public class StringUtils {
         String cleanResult = "";
         if (stringToClean != null) {
             cleanResult = REGEX_PASSWORD_QUERYSTRING.matcher(stringToClean).replaceAll("");
+            cleanResult = REGEX_END_PASSWORD_QUERYSTRING.matcher(cleanResult).replaceAll("");
             cleanResult = REGEX_PASSWORD_JSON.matcher(cleanResult).replaceAll("");
             Matcher detailsMatcher = REGEX_PASSWORD_DETAILS.matcher(cleanResult);
             while (detailsMatcher.find()) {