You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mina.apache.org by "Daniel Abramovich (JIRA)" <ji...@apache.org> on 2008/04/02 00:13:24 UTC

[jira] Created: (FTPSERVER-120) FtpServer should not log passwords in clear text.

FtpServer should not log passwords in clear text.
-------------------------------------------------

                 Key: FTPSERVER-120
                 URL: https://issues.apache.org/jira/browse/FTPSERVER-120
             Project: FtpServer
          Issue Type: Bug
            Reporter: Daniel Abramovich
            Priority: Minor


Those log statements are logged by the MINA logging filter and there's
not much we can do about that one (expect for not including in the
default setup). We could roll our own logging filter that takes out
the password. Please file a JIRA ticket and I'll take care of it.

/niklas


> Hi,
>
>
>
>  I'd like to make a suggestion that passwords not be logged in clear
>  text. For example:
>
>
>
>  Thu Mar 27 2008 00:06:08,762 EDT INFO
>  org.apache.ftpserver.listener.mina.MinaFtpProtocolHandler -
>  [/10.6.20.226:63995] RECEIVED: PASS admin
>
>
>
>  We find the protocol logging to be useful, but logging of passwords will
>  make security folks unhappy. Perhaps, it could just log ******* or
>  somesuch?
>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Closed: (FTPSERVER-120) FtpServer should not log passwords in clear text.

Posted by "Niklas Gustavsson (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/FTPSERVER-120?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Niklas Gustavsson closed FTPSERVER-120.
---------------------------------------

       Resolution: Fixed
    Fix Version/s: 1.0-M2

Fixed, requires the latest MINA snapshot so make sure Maven upgrades when bullding.

commit -m "+ FtpLoggingFilter, specialized LoggingFilter for masking FTP password (FTPSERVER-120)" /home/niklas/workspaces/apache/ftpserver/core/src/main/java/org/apache/ftpserver/filesystem/NativeFileSystemManager.java /home/niklas/workspaces/apache/ftpserver/core/src/main/java/org/apache/ftpserver/filter /home/niklas/workspaces/apache/ftpserver/core/src/main/java/org/apache/ftpserver/filter/FtpLoggingFilter.java /home/niklas/workspaces/apache/ftpserver/core/src/main/java/org/apache/ftpserver/listener/mina/MinaListener.java
    Sending        /home/niklas/workspaces/apache/ftpserver/core/src/main/java/org/apache/ftpserver/filesystem/NativeFileSystemManager.java
    Adding         /home/niklas/workspaces/apache/ftpserver/core/src/main/java/org/apache/ftpserver/filter
    Adding         /home/niklas/workspaces/apache/ftpserver/core/src/main/java/org/apache/ftpserver/filter/FtpLoggingFilter.java
    Sending        /home/niklas/workspaces/apache/ftpserver/core/src/main/java/org/apache/ftpserver/listener/mina/MinaListener.java
    Transmitting file data ...
    Committed revision 645286.

> FtpServer should not log passwords in clear text.
> -------------------------------------------------
>
>                 Key: FTPSERVER-120
>                 URL: https://issues.apache.org/jira/browse/FTPSERVER-120
>             Project: FtpServer
>          Issue Type: Bug
>            Reporter: Daniel Abramovich
>            Assignee: Niklas Gustavsson
>            Priority: Minor
>             Fix For: 1.0-M2
>
>
> Those log statements are logged by the MINA logging filter and there's
> not much we can do about that one (expect for not including in the
> default setup). We could roll our own logging filter that takes out
> the password. Please file a JIRA ticket and I'll take care of it.
> /niklas
> > Hi,
> >
> >
> >
> >  I'd like to make a suggestion that passwords not be logged in clear
> >  text. For example:
> >
> >
> >
> >  Thu Mar 27 2008 00:06:08,762 EDT INFO
> >  org.apache.ftpserver.listener.mina.MinaFtpProtocolHandler -
> >  [/10.6.20.226:63995] RECEIVED: PASS admin
> >
> >
> >
> >  We find the protocol logging to be useful, but logging of passwords will
> >  make security folks unhappy. Perhaps, it could just log ******* or
> >  somesuch?
> >

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Assigned: (FTPSERVER-120) FtpServer should not log passwords in clear text.

Posted by "Niklas Gustavsson (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/FTPSERVER-120?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Niklas Gustavsson reassigned FTPSERVER-120:
-------------------------------------------

    Assignee: Niklas Gustavsson

> FtpServer should not log passwords in clear text.
> -------------------------------------------------
>
>                 Key: FTPSERVER-120
>                 URL: https://issues.apache.org/jira/browse/FTPSERVER-120
>             Project: FtpServer
>          Issue Type: Bug
>            Reporter: Daniel Abramovich
>            Assignee: Niklas Gustavsson
>            Priority: Minor
>
> Those log statements are logged by the MINA logging filter and there's
> not much we can do about that one (expect for not including in the
> default setup). We could roll our own logging filter that takes out
> the password. Please file a JIRA ticket and I'll take care of it.
> /niklas
> > Hi,
> >
> >
> >
> >  I'd like to make a suggestion that passwords not be logged in clear
> >  text. For example:
> >
> >
> >
> >  Thu Mar 27 2008 00:06:08,762 EDT INFO
> >  org.apache.ftpserver.listener.mina.MinaFtpProtocolHandler -
> >  [/10.6.20.226:63995] RECEIVED: PASS admin
> >
> >
> >
> >  We find the protocol logging to be useful, but logging of passwords will
> >  make security folks unhappy. Perhaps, it could just log ******* or
> >  somesuch?
> >

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.