[jira] [Created] (CAMEL-3980) Exception message contains plaintext password

["Ales Dolecek (JIRA)" <ji...@apache.org>]

Exception message contains plaintext password
---------------------------------------------

                 Key: CAMEL-3980
                 URL: https://issues.apache.org/jira/browse/CAMEL-3980
             Project: Camel
          Issue Type: Improvement
          Components: camel-ftp
    Affects Versions: 2.6.0
         Environment: Configured via Spring
            Reporter: Ales Dolecek


The exception thrown by RemoteFilePollingConsumerPollStrategy shows URI and shows password in plaintext. Since we report ERROR and WARN messages from logs to external destinations (SNMP and mail) the password leaves the system and we are loosing control over its spread across enterprise. I decided to mark this as major issue since it is security related. I have found other issue #CAMEL-3099 related to cleartext passwords in log files. It is closed however - don't know if I should try to reopen it.

Here is sample log (the username and password parameters were altered):

2011-05-16 22:35:07,210 WARN  [FtpConsumer] File operation failed:  Software caused connection abort: socket write error. Code: 250
2011-05-16 22:35:07,210 WARN  [RemoteFilePollingConsumerPollStrategy] Consumer Consumer[ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount] could not poll endpoint: ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount caused by: File operation failed:  Software caused connection abort: recv failed. Code: 250
org.apache.camel.component.file.GenericFileOperationFailedException: File operation failed:  Software caused connection abort: recv failed. Code: 250
	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:548)
	at org.apache.camel.component.file.remote.FtpConsumer.pollDirectory(FtpConsumer.java:43)
	at org.apache.camel.component.file.GenericFileConsumer.poll(GenericFileConsumer.java:83)
	at org.apache.camel.impl.ScheduledPollConsumer.run(ScheduledPollConsumer.java:97)
	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
	at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)
	at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(Unknown Source)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(Unknown Source)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source) Caused by: java.net.SocketException: Software caused connection abort: recv failed
	at java.net.SocketInputStream.socketRead0(Native Method)
	at java.net.SocketInputStream.read(Unknown Source)
	at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
	at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
	at sun.nio.cs.StreamDecoder.read(Unknown Source)
	at java.io.InputStreamReader.read(Unknown Source)
	at java.io.BufferedReader.fill(Unknown Source)
	at java.io.BufferedReader.readLine(Unknown Source)
	at java.io.BufferedReader.readLine(Unknown Source)
	at org.apache.commons.net.ftp.FTP.__getReply(FTP.java:294)
	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:490)
	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:534)
	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:583)
	at org.apache.commons.net.ftp.FTP.pwd(FTP.java:1270)
	at org.apache.commons.net.ftp.FTPClient.printWorkingDirectory(FTPClient.java:1800)
	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:546)
	... 12 more

Ales

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Re: [jira] [Created] (CAMEL-3980) Exception message contains plaintext password

[Ishara2015 <is...@gmail.com>]

I also faced the same problem & here I'm giving my solution.

If you are writing logs to a file and using Log4j etc., you can set a filter
to decide whether plain text passwords consisting records should be logged
or not.

I got the issue solved by Get the appender and set a formatter by overriding
format method as you want.



--
View this message in context: http://camel.465427.n5.nabble.com/jira-Created-CAMEL-3980-Exception-message-contains-plaintext-password-tp4403155p5754942.html
Sent from the Camel Development mailing list archive at Nabble.com.

[jira] [Updated] (CAMEL-3980) Exception message contains plaintext password

["Taariq Levack (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/CAMEL-3980?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Taariq Levack updated CAMEL-3980:
---------------------------------

    Attachment: CAMEL-3980_UnitTestIncluded.patch

Sure Hadrian, new patch includes unit tests as well as previous changes.

> Exception message contains plaintext password
> ---------------------------------------------
>
>                 Key: CAMEL-3980
>                 URL: https://issues.apache.org/jira/browse/CAMEL-3980
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-ftp
>    Affects Versions: 2.6.0
>         Environment: Configured via Spring
>            Reporter: Ales Dolecek
>              Labels: logging, security
>         Attachments: CAMEL-3980.patch, CAMEL-3980_UnitTestIncluded.patch
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> The exception thrown by RemoteFilePollingConsumerPollStrategy shows URI and shows password in plaintext. Since we report ERROR and WARN messages from logs to external destinations (SNMP and mail) the password leaves the system and we are loosing control over its spread across enterprise. I decided to mark this as major issue since it is security related. I have found other issue #CAMEL-3099 related to cleartext passwords in log files. It is closed however - don't know if I should try to reopen it.
> Here is sample log (the username and password parameters were altered):
> 2011-05-16 22:35:07,210 WARN  [FtpConsumer] File operation failed:  Software caused connection abort: socket write error. Code: 250
> 2011-05-16 22:35:07,210 WARN  [RemoteFilePollingConsumerPollStrategy] Consumer Consumer[ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount] could not poll endpoint: ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount caused by: File operation failed:  Software caused connection abort: recv failed. Code: 250
> org.apache.camel.component.file.GenericFileOperationFailedException: File operation failed:  Software caused connection abort: recv failed. Code: 250
> 	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:548)
> 	at org.apache.camel.component.file.remote.FtpConsumer.pollDirectory(FtpConsumer.java:43)
> 	at org.apache.camel.component.file.GenericFileConsumer.poll(GenericFileConsumer.java:83)
> 	at org.apache.camel.impl.ScheduledPollConsumer.run(ScheduledPollConsumer.java:97)
> 	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
> 	at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)
> 	at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> 	at java.lang.Thread.run(Unknown Source) Caused by: java.net.SocketException: Software caused connection abort: recv failed
> 	at java.net.SocketInputStream.socketRead0(Native Method)
> 	at java.net.SocketInputStream.read(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.read(Unknown Source)
> 	at java.io.InputStreamReader.read(Unknown Source)
> 	at java.io.BufferedReader.fill(Unknown Source)
> 	at java.io.BufferedReader.readLine(Unknown Source)
> 	at java.io.BufferedReader.readLine(Unknown Source)
> 	at org.apache.commons.net.ftp.FTP.__getReply(FTP.java:294)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:490)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:534)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:583)
> 	at org.apache.commons.net.ftp.FTP.pwd(FTP.java:1270)
> 	at org.apache.commons.net.ftp.FTPClient.printWorkingDirectory(FTPClient.java:1800)
> 	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:546)
> 	... 12 more
> Ales

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Updated] (CAMEL-3980) Exception message contains plaintext password

["Taariq Levack (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/CAMEL-3980?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Taariq Levack updated CAMEL-3980:
---------------------------------

    Attachment: CAMEL-3980.patch

The patch sanitizes the URL for RemoteFileProducer and FtpConsumer, and also logs the endpoint's toString instead of the endpoint URI so that is sanitized too.

No additional tests were added, DefaultEndpointTest already tests the sanitizing and FromFtpSimulateNetworkIssueRecoverTest.testFtpRecover logs will show that the problem is solved for ftp.

If there are others I'm unaware of please let me know.

> Exception message contains plaintext password
> ---------------------------------------------
>
>                 Key: CAMEL-3980
>                 URL: https://issues.apache.org/jira/browse/CAMEL-3980
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-ftp
>    Affects Versions: 2.6.0
>         Environment: Configured via Spring
>            Reporter: Ales Dolecek
>              Labels: logging, security
>         Attachments: CAMEL-3980.patch
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> The exception thrown by RemoteFilePollingConsumerPollStrategy shows URI and shows password in plaintext. Since we report ERROR and WARN messages from logs to external destinations (SNMP and mail) the password leaves the system and we are loosing control over its spread across enterprise. I decided to mark this as major issue since it is security related. I have found other issue #CAMEL-3099 related to cleartext passwords in log files. It is closed however - don't know if I should try to reopen it.
> Here is sample log (the username and password parameters were altered):
> 2011-05-16 22:35:07,210 WARN  [FtpConsumer] File operation failed:  Software caused connection abort: socket write error. Code: 250
> 2011-05-16 22:35:07,210 WARN  [RemoteFilePollingConsumerPollStrategy] Consumer Consumer[ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount] could not poll endpoint: ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount caused by: File operation failed:  Software caused connection abort: recv failed. Code: 250
> org.apache.camel.component.file.GenericFileOperationFailedException: File operation failed:  Software caused connection abort: recv failed. Code: 250
> 	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:548)
> 	at org.apache.camel.component.file.remote.FtpConsumer.pollDirectory(FtpConsumer.java:43)
> 	at org.apache.camel.component.file.GenericFileConsumer.poll(GenericFileConsumer.java:83)
> 	at org.apache.camel.impl.ScheduledPollConsumer.run(ScheduledPollConsumer.java:97)
> 	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
> 	at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)
> 	at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> 	at java.lang.Thread.run(Unknown Source) Caused by: java.net.SocketException: Software caused connection abort: recv failed
> 	at java.net.SocketInputStream.socketRead0(Native Method)
> 	at java.net.SocketInputStream.read(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.read(Unknown Source)
> 	at java.io.InputStreamReader.read(Unknown Source)
> 	at java.io.BufferedReader.fill(Unknown Source)
> 	at java.io.BufferedReader.readLine(Unknown Source)
> 	at java.io.BufferedReader.readLine(Unknown Source)
> 	at org.apache.commons.net.ftp.FTP.__getReply(FTP.java:294)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:490)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:534)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:583)
> 	at org.apache.commons.net.ftp.FTP.pwd(FTP.java:1270)
> 	at org.apache.commons.net.ftp.FTPClient.printWorkingDirectory(FTPClient.java:1800)
> 	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:546)
> 	... 12 more
> Ales

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (CAMEL-3980) Exception message contains plaintext password

["Hadrian Zbarcea (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/CAMEL-3980?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13035153#comment-13035153 ] 

Hadrian Zbarcea commented on CAMEL-3980:
----------------------------------------

Taariq, is it possible to put together a quick unit test for this? Thanks for the contribution!

> Exception message contains plaintext password
> ---------------------------------------------
>
>                 Key: CAMEL-3980
>                 URL: https://issues.apache.org/jira/browse/CAMEL-3980
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-ftp
>    Affects Versions: 2.6.0
>         Environment: Configured via Spring
>            Reporter: Ales Dolecek
>              Labels: logging, security
>         Attachments: CAMEL-3980.patch
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> The exception thrown by RemoteFilePollingConsumerPollStrategy shows URI and shows password in plaintext. Since we report ERROR and WARN messages from logs to external destinations (SNMP and mail) the password leaves the system and we are loosing control over its spread across enterprise. I decided to mark this as major issue since it is security related. I have found other issue #CAMEL-3099 related to cleartext passwords in log files. It is closed however - don't know if I should try to reopen it.
> Here is sample log (the username and password parameters were altered):
> 2011-05-16 22:35:07,210 WARN  [FtpConsumer] File operation failed:  Software caused connection abort: socket write error. Code: 250
> 2011-05-16 22:35:07,210 WARN  [RemoteFilePollingConsumerPollStrategy] Consumer Consumer[ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount] could not poll endpoint: ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount caused by: File operation failed:  Software caused connection abort: recv failed. Code: 250
> org.apache.camel.component.file.GenericFileOperationFailedException: File operation failed:  Software caused connection abort: recv failed. Code: 250
> 	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:548)
> 	at org.apache.camel.component.file.remote.FtpConsumer.pollDirectory(FtpConsumer.java:43)
> 	at org.apache.camel.component.file.GenericFileConsumer.poll(GenericFileConsumer.java:83)
> 	at org.apache.camel.impl.ScheduledPollConsumer.run(ScheduledPollConsumer.java:97)
> 	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
> 	at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)
> 	at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> 	at java.lang.Thread.run(Unknown Source) Caused by: java.net.SocketException: Software caused connection abort: recv failed
> 	at java.net.SocketInputStream.socketRead0(Native Method)
> 	at java.net.SocketInputStream.read(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.read(Unknown Source)
> 	at java.io.InputStreamReader.read(Unknown Source)
> 	at java.io.BufferedReader.fill(Unknown Source)
> 	at java.io.BufferedReader.readLine(Unknown Source)
> 	at java.io.BufferedReader.readLine(Unknown Source)
> 	at org.apache.commons.net.ftp.FTP.__getReply(FTP.java:294)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:490)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:534)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:583)
> 	at org.apache.commons.net.ftp.FTP.pwd(FTP.java:1270)
> 	at org.apache.commons.net.ftp.FTPClient.printWorkingDirectory(FTPClient.java:1800)
> 	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:546)
> 	... 12 more
> Ales

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Updated] (CAMEL-3980) Exception message contains plaintext password

["Claus Ibsen (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/CAMEL-3980?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Claus Ibsen updated CAMEL-3980:
-------------------------------

      Description: 
The exception thrown by RemoteFilePollingConsumerPollStrategy shows URI and shows password in plaintext. Since we report ERROR and WARN messages from logs to external destinations (SNMP and mail) the password leaves the system and we are loosing control over its spread across enterprise. I decided to mark this as major issue since it is security related. I have found other issue #CAMEL-3099 related to cleartext passwords in log files. It is closed however - don't know if I should try to reopen it.

Here is sample log (the username and password parameters were altered):
{code}
2011-05-16 22:35:07,210 WARN  [FtpConsumer] File operation failed:  Software caused connection abort: socket write error. Code: 250
2011-05-16 22:35:07,210 WARN  [RemoteFilePollingConsumerPollStrategy] Consumer Consumer[ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount] could not poll endpoint: ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount caused by: File operation failed:  Software caused connection abort: recv failed. Code: 250
org.apache.camel.component.file.GenericFileOperationFailedException: File operation failed:  Software caused connection abort: recv failed. Code: 250
	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:548)
	at org.apache.camel.component.file.remote.FtpConsumer.pollDirectory(FtpConsumer.java:43)
	at org.apache.camel.component.file.GenericFileConsumer.poll(GenericFileConsumer.java:83)
	at org.apache.camel.impl.ScheduledPollConsumer.run(ScheduledPollConsumer.java:97)
	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
	at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)
	at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(Unknown Source)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(Unknown Source)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source) Caused by: java.net.SocketException: Software caused connection abort: recv failed
	at java.net.SocketInputStream.socketRead0(Native Method)
	at java.net.SocketInputStream.read(Unknown Source)
	at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
	at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
	at sun.nio.cs.StreamDecoder.read(Unknown Source)
	at java.io.InputStreamReader.read(Unknown Source)
	at java.io.BufferedReader.fill(Unknown Source)
	at java.io.BufferedReader.readLine(Unknown Source)
	at java.io.BufferedReader.readLine(Unknown Source)
	at org.apache.commons.net.ftp.FTP.__getReply(FTP.java:294)
	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:490)
	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:534)
	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:583)
	at org.apache.commons.net.ftp.FTP.pwd(FTP.java:1270)
	at org.apache.commons.net.ftp.FTPClient.printWorkingDirectory(FTPClient.java:1800)
	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:546)
	... 12 more
{code}

Ales

  was:
The exception thrown by RemoteFilePollingConsumerPollStrategy shows URI and shows password in plaintext. Since we report ERROR and WARN messages from logs to external destinations (SNMP and mail) the password leaves the system and we are loosing control over its spread across enterprise. I decided to mark this as major issue since it is security related. I have found other issue #CAMEL-3099 related to cleartext passwords in log files. It is closed however - don't know if I should try to reopen it.

Here is sample log (the username and password parameters were altered):

2011-05-16 22:35:07,210 WARN  [FtpConsumer] File operation failed:  Software caused connection abort: socket write error. Code: 250
2011-05-16 22:35:07,210 WARN  [RemoteFilePollingConsumerPollStrategy] Consumer Consumer[ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount] could not poll endpoint: ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount caused by: File operation failed:  Software caused connection abort: recv failed. Code: 250
org.apache.camel.component.file.GenericFileOperationFailedException: File operation failed:  Software caused connection abort: recv failed. Code: 250
	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:548)
	at org.apache.camel.component.file.remote.FtpConsumer.pollDirectory(FtpConsumer.java:43)
	at org.apache.camel.component.file.GenericFileConsumer.poll(GenericFileConsumer.java:83)
	at org.apache.camel.impl.ScheduledPollConsumer.run(ScheduledPollConsumer.java:97)
	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
	at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)
	at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(Unknown Source)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(Unknown Source)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source) Caused by: java.net.SocketException: Software caused connection abort: recv failed
	at java.net.SocketInputStream.socketRead0(Native Method)
	at java.net.SocketInputStream.read(Unknown Source)
	at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
	at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
	at sun.nio.cs.StreamDecoder.read(Unknown Source)
	at java.io.InputStreamReader.read(Unknown Source)
	at java.io.BufferedReader.fill(Unknown Source)
	at java.io.BufferedReader.readLine(Unknown Source)
	at java.io.BufferedReader.readLine(Unknown Source)
	at org.apache.commons.net.ftp.FTP.__getReply(FTP.java:294)
	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:490)
	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:534)
	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:583)
	at org.apache.commons.net.ftp.FTP.pwd(FTP.java:1270)
	at org.apache.commons.net.ftp.FTPClient.printWorkingDirectory(FTPClient.java:1800)
	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:546)
	... 12 more

Ales

    Fix Version/s: 2.8.0

> Exception message contains plaintext password
> ---------------------------------------------
>
>                 Key: CAMEL-3980
>                 URL: https://issues.apache.org/jira/browse/CAMEL-3980
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-ftp
>    Affects Versions: 2.6.0
>         Environment: Configured via Spring
>            Reporter: Ales Dolecek
>            Assignee: Claus Ibsen
>              Labels: logging, security
>             Fix For: 2.8.0
>
>         Attachments: CAMEL-3980.patch, CAMEL-3980_Refactored_To_UriUtils.patch, CAMEL-3980_Refactored_To_UriUtils_2.patch, CAMEL-3980_UnitTestIncluded.patch
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> The exception thrown by RemoteFilePollingConsumerPollStrategy shows URI and shows password in plaintext. Since we report ERROR and WARN messages from logs to external destinations (SNMP and mail) the password leaves the system and we are loosing control over its spread across enterprise. I decided to mark this as major issue since it is security related. I have found other issue #CAMEL-3099 related to cleartext passwords in log files. It is closed however - don't know if I should try to reopen it.
> Here is sample log (the username and password parameters were altered):
> {code}
> 2011-05-16 22:35:07,210 WARN  [FtpConsumer] File operation failed:  Software caused connection abort: socket write error. Code: 250
> 2011-05-16 22:35:07,210 WARN  [RemoteFilePollingConsumerPollStrategy] Consumer Consumer[ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount] could not poll endpoint: ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount caused by: File operation failed:  Software caused connection abort: recv failed. Code: 250
> org.apache.camel.component.file.GenericFileOperationFailedException: File operation failed:  Software caused connection abort: recv failed. Code: 250
> 	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:548)
> 	at org.apache.camel.component.file.remote.FtpConsumer.pollDirectory(FtpConsumer.java:43)
> 	at org.apache.camel.component.file.GenericFileConsumer.poll(GenericFileConsumer.java:83)
> 	at org.apache.camel.impl.ScheduledPollConsumer.run(ScheduledPollConsumer.java:97)
> 	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
> 	at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)
> 	at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> 	at java.lang.Thread.run(Unknown Source) Caused by: java.net.SocketException: Software caused connection abort: recv failed
> 	at java.net.SocketInputStream.socketRead0(Native Method)
> 	at java.net.SocketInputStream.read(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.read(Unknown Source)
> 	at java.io.InputStreamReader.read(Unknown Source)
> 	at java.io.BufferedReader.fill(Unknown Source)
> 	at java.io.BufferedReader.readLine(Unknown Source)
> 	at java.io.BufferedReader.readLine(Unknown Source)
> 	at org.apache.commons.net.ftp.FTP.__getReply(FTP.java:294)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:490)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:534)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:583)
> 	at org.apache.commons.net.ftp.FTP.pwd(FTP.java:1270)
> 	at org.apache.commons.net.ftp.FTPClient.printWorkingDirectory(FTPClient.java:1800)
> 	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:546)
> 	... 12 more
> {code}
> Ales

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (CAMEL-3980) Exception message contains plaintext password

["Claus Ibsen (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/CAMEL-3980?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13036035#comment-13036035 ] 

Claus Ibsen commented on CAMEL-3980:
------------------------------------

Thanks for the patch.

We should probably consider adding a getSantiziedEndpointUri to Endpoint.
And possibly have its toString return the santizied uri as well.


> Exception message contains plaintext password
> ---------------------------------------------
>
>                 Key: CAMEL-3980
>                 URL: https://issues.apache.org/jira/browse/CAMEL-3980
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-ftp
>    Affects Versions: 2.6.0
>         Environment: Configured via Spring
>            Reporter: Ales Dolecek
>            Assignee: Claus Ibsen
>              Labels: logging, security
>             Fix For: 2.8.0
>
>         Attachments: CAMEL-3980.patch, CAMEL-3980_Refactored_To_UriUtils.patch, CAMEL-3980_Refactored_To_UriUtils_2.patch, CAMEL-3980_UnitTestIncluded.patch
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> The exception thrown by RemoteFilePollingConsumerPollStrategy shows URI and shows password in plaintext. Since we report ERROR and WARN messages from logs to external destinations (SNMP and mail) the password leaves the system and we are loosing control over its spread across enterprise. I decided to mark this as major issue since it is security related. I have found other issue #CAMEL-3099 related to cleartext passwords in log files. It is closed however - don't know if I should try to reopen it.
> Here is sample log (the username and password parameters were altered):
> {code}
> 2011-05-16 22:35:07,210 WARN  [FtpConsumer] File operation failed:  Software caused connection abort: socket write error. Code: 250
> 2011-05-16 22:35:07,210 WARN  [RemoteFilePollingConsumerPollStrategy] Consumer Consumer[ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount] could not poll endpoint: ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount caused by: File operation failed:  Software caused connection abort: recv failed. Code: 250
> org.apache.camel.component.file.GenericFileOperationFailedException: File operation failed:  Software caused connection abort: recv failed. Code: 250
> 	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:548)
> 	at org.apache.camel.component.file.remote.FtpConsumer.pollDirectory(FtpConsumer.java:43)
> 	at org.apache.camel.component.file.GenericFileConsumer.poll(GenericFileConsumer.java:83)
> 	at org.apache.camel.impl.ScheduledPollConsumer.run(ScheduledPollConsumer.java:97)
> 	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
> 	at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)
> 	at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> 	at java.lang.Thread.run(Unknown Source) Caused by: java.net.SocketException: Software caused connection abort: recv failed
> 	at java.net.SocketInputStream.socketRead0(Native Method)
> 	at java.net.SocketInputStream.read(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.read(Unknown Source)
> 	at java.io.InputStreamReader.read(Unknown Source)
> 	at java.io.BufferedReader.fill(Unknown Source)
> 	at java.io.BufferedReader.readLine(Unknown Source)
> 	at java.io.BufferedReader.readLine(Unknown Source)
> 	at org.apache.commons.net.ftp.FTP.__getReply(FTP.java:294)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:490)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:534)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:583)
> 	at org.apache.commons.net.ftp.FTP.pwd(FTP.java:1270)
> 	at org.apache.commons.net.ftp.FTPClient.printWorkingDirectory(FTPClient.java:1800)
> 	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:546)
> 	... 12 more
> {code}
> Ales

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (CAMEL-3980) Exception message contains plaintext password

["Claus Ibsen (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/CAMEL-3980?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13035254#comment-13035254 ] 

Claus Ibsen commented on CAMEL-3980:
------------------------------------

We should move the DefaultEndpoint.sanitizeUri method to an util class so we can better reuse it

> Exception message contains plaintext password
> ---------------------------------------------
>
>                 Key: CAMEL-3980
>                 URL: https://issues.apache.org/jira/browse/CAMEL-3980
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-ftp
>    Affects Versions: 2.6.0
>         Environment: Configured via Spring
>            Reporter: Ales Dolecek
>              Labels: logging, security
>         Attachments: CAMEL-3980.patch, CAMEL-3980_UnitTestIncluded.patch
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> The exception thrown by RemoteFilePollingConsumerPollStrategy shows URI and shows password in plaintext. Since we report ERROR and WARN messages from logs to external destinations (SNMP and mail) the password leaves the system and we are loosing control over its spread across enterprise. I decided to mark this as major issue since it is security related. I have found other issue #CAMEL-3099 related to cleartext passwords in log files. It is closed however - don't know if I should try to reopen it.
> Here is sample log (the username and password parameters were altered):
> 2011-05-16 22:35:07,210 WARN  [FtpConsumer] File operation failed:  Software caused connection abort: socket write error. Code: 250
> 2011-05-16 22:35:07,210 WARN  [RemoteFilePollingConsumerPollStrategy] Consumer Consumer[ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount] could not poll endpoint: ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount caused by: File operation failed:  Software caused connection abort: recv failed. Code: 250
> org.apache.camel.component.file.GenericFileOperationFailedException: File operation failed:  Software caused connection abort: recv failed. Code: 250
> 	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:548)
> 	at org.apache.camel.component.file.remote.FtpConsumer.pollDirectory(FtpConsumer.java:43)
> 	at org.apache.camel.component.file.GenericFileConsumer.poll(GenericFileConsumer.java:83)
> 	at org.apache.camel.impl.ScheduledPollConsumer.run(ScheduledPollConsumer.java:97)
> 	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
> 	at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)
> 	at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> 	at java.lang.Thread.run(Unknown Source) Caused by: java.net.SocketException: Software caused connection abort: recv failed
> 	at java.net.SocketInputStream.socketRead0(Native Method)
> 	at java.net.SocketInputStream.read(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.read(Unknown Source)
> 	at java.io.InputStreamReader.read(Unknown Source)
> 	at java.io.BufferedReader.fill(Unknown Source)
> 	at java.io.BufferedReader.readLine(Unknown Source)
> 	at java.io.BufferedReader.readLine(Unknown Source)
> 	at org.apache.commons.net.ftp.FTP.__getReply(FTP.java:294)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:490)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:534)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:583)
> 	at org.apache.commons.net.ftp.FTP.pwd(FTP.java:1270)
> 	at org.apache.commons.net.ftp.FTPClient.printWorkingDirectory(FTPClient.java:1800)
> 	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:546)
> 	... 12 more
> Ales

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (CAMEL-3980) Exception message contains plaintext password

["Taariq Levack (JIRA)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/CAMEL-3980?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13035288#comment-13035288 ] 

Taariq Levack commented on CAMEL-3980:
--------------------------------------

Agreed Claus, explains why I felt dirty afterwards.
I'll update the patch this evening.

> Exception message contains plaintext password
> ---------------------------------------------
>
>                 Key: CAMEL-3980
>                 URL: https://issues.apache.org/jira/browse/CAMEL-3980
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-ftp
>    Affects Versions: 2.6.0
>         Environment: Configured via Spring
>            Reporter: Ales Dolecek
>              Labels: logging, security
>         Attachments: CAMEL-3980.patch, CAMEL-3980_UnitTestIncluded.patch
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> The exception thrown by RemoteFilePollingConsumerPollStrategy shows URI and shows password in plaintext. Since we report ERROR and WARN messages from logs to external destinations (SNMP and mail) the password leaves the system and we are loosing control over its spread across enterprise. I decided to mark this as major issue since it is security related. I have found other issue #CAMEL-3099 related to cleartext passwords in log files. It is closed however - don't know if I should try to reopen it.
> Here is sample log (the username and password parameters were altered):
> 2011-05-16 22:35:07,210 WARN  [FtpConsumer] File operation failed:  Software caused connection abort: socket write error. Code: 250
> 2011-05-16 22:35:07,210 WARN  [RemoteFilePollingConsumerPollStrategy] Consumer Consumer[ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount] could not poll endpoint: ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount caused by: File operation failed:  Software caused connection abort: recv failed. Code: 250
> org.apache.camel.component.file.GenericFileOperationFailedException: File operation failed:  Software caused connection abort: recv failed. Code: 250
> 	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:548)
> 	at org.apache.camel.component.file.remote.FtpConsumer.pollDirectory(FtpConsumer.java:43)
> 	at org.apache.camel.component.file.GenericFileConsumer.poll(GenericFileConsumer.java:83)
> 	at org.apache.camel.impl.ScheduledPollConsumer.run(ScheduledPollConsumer.java:97)
> 	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
> 	at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)
> 	at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> 	at java.lang.Thread.run(Unknown Source) Caused by: java.net.SocketException: Software caused connection abort: recv failed
> 	at java.net.SocketInputStream.socketRead0(Native Method)
> 	at java.net.SocketInputStream.read(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.read(Unknown Source)
> 	at java.io.InputStreamReader.read(Unknown Source)
> 	at java.io.BufferedReader.fill(Unknown Source)
> 	at java.io.BufferedReader.readLine(Unknown Source)
> 	at java.io.BufferedReader.readLine(Unknown Source)
> 	at org.apache.commons.net.ftp.FTP.__getReply(FTP.java:294)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:490)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:534)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:583)
> 	at org.apache.commons.net.ftp.FTP.pwd(FTP.java:1270)
> 	at org.apache.commons.net.ftp.FTPClient.printWorkingDirectory(FTPClient.java:1800)
> 	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:546)
> 	... 12 more
> Ales

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Updated] (CAMEL-3980) Exception message contains plaintext password

["Taariq Levack (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/CAMEL-3980?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Taariq Levack updated CAMEL-3980:
---------------------------------

    Attachment: CAMEL-3980_Refactored_To_UriUtils.patch

Refactored to UriUtils

> Exception message contains plaintext password
> ---------------------------------------------
>
>                 Key: CAMEL-3980
>                 URL: https://issues.apache.org/jira/browse/CAMEL-3980
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-ftp
>    Affects Versions: 2.6.0
>         Environment: Configured via Spring
>            Reporter: Ales Dolecek
>              Labels: logging, security
>         Attachments: CAMEL-3980.patch, CAMEL-3980_Refactored_To_UriUtils.patch, CAMEL-3980_UnitTestIncluded.patch
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> The exception thrown by RemoteFilePollingConsumerPollStrategy shows URI and shows password in plaintext. Since we report ERROR and WARN messages from logs to external destinations (SNMP and mail) the password leaves the system and we are loosing control over its spread across enterprise. I decided to mark this as major issue since it is security related. I have found other issue #CAMEL-3099 related to cleartext passwords in log files. It is closed however - don't know if I should try to reopen it.
> Here is sample log (the username and password parameters were altered):
> 2011-05-16 22:35:07,210 WARN  [FtpConsumer] File operation failed:  Software caused connection abort: socket write error. Code: 250
> 2011-05-16 22:35:07,210 WARN  [RemoteFilePollingConsumerPollStrategy] Consumer Consumer[ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount] could not poll endpoint: ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount caused by: File operation failed:  Software caused connection abort: recv failed. Code: 250
> org.apache.camel.component.file.GenericFileOperationFailedException: File operation failed:  Software caused connection abort: recv failed. Code: 250
> 	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:548)
> 	at org.apache.camel.component.file.remote.FtpConsumer.pollDirectory(FtpConsumer.java:43)
> 	at org.apache.camel.component.file.GenericFileConsumer.poll(GenericFileConsumer.java:83)
> 	at org.apache.camel.impl.ScheduledPollConsumer.run(ScheduledPollConsumer.java:97)
> 	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
> 	at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)
> 	at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> 	at java.lang.Thread.run(Unknown Source) Caused by: java.net.SocketException: Software caused connection abort: recv failed
> 	at java.net.SocketInputStream.socketRead0(Native Method)
> 	at java.net.SocketInputStream.read(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.read(Unknown Source)
> 	at java.io.InputStreamReader.read(Unknown Source)
> 	at java.io.BufferedReader.fill(Unknown Source)
> 	at java.io.BufferedReader.readLine(Unknown Source)
> 	at java.io.BufferedReader.readLine(Unknown Source)
> 	at org.apache.commons.net.ftp.FTP.__getReply(FTP.java:294)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:490)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:534)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:583)
> 	at org.apache.commons.net.ftp.FTP.pwd(FTP.java:1270)
> 	at org.apache.commons.net.ftp.FTPClient.printWorkingDirectory(FTPClient.java:1800)
> 	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:546)
> 	... 12 more
> Ales

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Updated] (CAMEL-3980) Exception message contains plaintext password

["Taariq Levack (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/CAMEL-3980?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Taariq Levack updated CAMEL-3980:
---------------------------------

    Attachment: CAMEL-3980_Refactored_To_UriUtils_2.patch

Last patch had some sys outs.

> Exception message contains plaintext password
> ---------------------------------------------
>
>                 Key: CAMEL-3980
>                 URL: https://issues.apache.org/jira/browse/CAMEL-3980
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-ftp
>    Affects Versions: 2.6.0
>         Environment: Configured via Spring
>            Reporter: Ales Dolecek
>              Labels: logging, security
>         Attachments: CAMEL-3980.patch, CAMEL-3980_Refactored_To_UriUtils.patch, CAMEL-3980_Refactored_To_UriUtils_2.patch, CAMEL-3980_UnitTestIncluded.patch
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> The exception thrown by RemoteFilePollingConsumerPollStrategy shows URI and shows password in plaintext. Since we report ERROR and WARN messages from logs to external destinations (SNMP and mail) the password leaves the system and we are loosing control over its spread across enterprise. I decided to mark this as major issue since it is security related. I have found other issue #CAMEL-3099 related to cleartext passwords in log files. It is closed however - don't know if I should try to reopen it.
> Here is sample log (the username and password parameters were altered):
> 2011-05-16 22:35:07,210 WARN  [FtpConsumer] File operation failed:  Software caused connection abort: socket write error. Code: 250
> 2011-05-16 22:35:07,210 WARN  [RemoteFilePollingConsumerPollStrategy] Consumer Consumer[ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount] could not poll endpoint: ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount caused by: File operation failed:  Software caused connection abort: recv failed. Code: 250
> org.apache.camel.component.file.GenericFileOperationFailedException: File operation failed:  Software caused connection abort: recv failed. Code: 250
> 	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:548)
> 	at org.apache.camel.component.file.remote.FtpConsumer.pollDirectory(FtpConsumer.java:43)
> 	at org.apache.camel.component.file.GenericFileConsumer.poll(GenericFileConsumer.java:83)
> 	at org.apache.camel.impl.ScheduledPollConsumer.run(ScheduledPollConsumer.java:97)
> 	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
> 	at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)
> 	at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> 	at java.lang.Thread.run(Unknown Source) Caused by: java.net.SocketException: Software caused connection abort: recv failed
> 	at java.net.SocketInputStream.socketRead0(Native Method)
> 	at java.net.SocketInputStream.read(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.read(Unknown Source)
> 	at java.io.InputStreamReader.read(Unknown Source)
> 	at java.io.BufferedReader.fill(Unknown Source)
> 	at java.io.BufferedReader.readLine(Unknown Source)
> 	at java.io.BufferedReader.readLine(Unknown Source)
> 	at org.apache.commons.net.ftp.FTP.__getReply(FTP.java:294)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:490)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:534)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:583)
> 	at org.apache.commons.net.ftp.FTP.pwd(FTP.java:1270)
> 	at org.apache.commons.net.ftp.FTPClient.printWorkingDirectory(FTPClient.java:1800)
> 	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:546)
> 	... 12 more
> Ales

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Resolved] (CAMEL-3980) Exception message contains plaintext password

["Claus Ibsen (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/CAMEL-3980?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Claus Ibsen resolved CAMEL-3980.
--------------------------------

    Resolution: Fixed

> Exception message contains plaintext password
> ---------------------------------------------
>
>                 Key: CAMEL-3980
>                 URL: https://issues.apache.org/jira/browse/CAMEL-3980
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-ftp
>    Affects Versions: 2.6.0
>         Environment: Configured via Spring
>            Reporter: Ales Dolecek
>            Assignee: Claus Ibsen
>              Labels: logging, security
>             Fix For: 2.8.0
>
>         Attachments: CAMEL-3980.patch, CAMEL-3980_Refactored_To_UriUtils.patch, CAMEL-3980_Refactored_To_UriUtils_2.patch, CAMEL-3980_UnitTestIncluded.patch
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> The exception thrown by RemoteFilePollingConsumerPollStrategy shows URI and shows password in plaintext. Since we report ERROR and WARN messages from logs to external destinations (SNMP and mail) the password leaves the system and we are loosing control over its spread across enterprise. I decided to mark this as major issue since it is security related. I have found other issue #CAMEL-3099 related to cleartext passwords in log files. It is closed however - don't know if I should try to reopen it.
> Here is sample log (the username and password parameters were altered):
> {code}
> 2011-05-16 22:35:07,210 WARN  [FtpConsumer] File operation failed:  Software caused connection abort: socket write error. Code: 250
> 2011-05-16 22:35:07,210 WARN  [RemoteFilePollingConsumerPollStrategy] Consumer Consumer[ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount] could not poll endpoint: ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount caused by: File operation failed:  Software caused connection abort: recv failed. Code: 250
> org.apache.camel.component.file.GenericFileOperationFailedException: File operation failed:  Software caused connection abort: recv failed. Code: 250
> 	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:548)
> 	at org.apache.camel.component.file.remote.FtpConsumer.pollDirectory(FtpConsumer.java:43)
> 	at org.apache.camel.component.file.GenericFileConsumer.poll(GenericFileConsumer.java:83)
> 	at org.apache.camel.impl.ScheduledPollConsumer.run(ScheduledPollConsumer.java:97)
> 	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
> 	at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)
> 	at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> 	at java.lang.Thread.run(Unknown Source) Caused by: java.net.SocketException: Software caused connection abort: recv failed
> 	at java.net.SocketInputStream.socketRead0(Native Method)
> 	at java.net.SocketInputStream.read(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.read(Unknown Source)
> 	at java.io.InputStreamReader.read(Unknown Source)
> 	at java.io.BufferedReader.fill(Unknown Source)
> 	at java.io.BufferedReader.readLine(Unknown Source)
> 	at java.io.BufferedReader.readLine(Unknown Source)
> 	at org.apache.commons.net.ftp.FTP.__getReply(FTP.java:294)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:490)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:534)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:583)
> 	at org.apache.commons.net.ftp.FTP.pwd(FTP.java:1270)
> 	at org.apache.commons.net.ftp.FTPClient.printWorkingDirectory(FTPClient.java:1800)
> 	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:546)
> 	... 12 more
> {code}
> Ales

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Assigned] (CAMEL-3980) Exception message contains plaintext password

["Claus Ibsen (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/CAMEL-3980?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Claus Ibsen reassigned CAMEL-3980:
----------------------------------

    Assignee: Claus Ibsen

> Exception message contains plaintext password
> ---------------------------------------------
>
>                 Key: CAMEL-3980
>                 URL: https://issues.apache.org/jira/browse/CAMEL-3980
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-ftp
>    Affects Versions: 2.6.0
>         Environment: Configured via Spring
>            Reporter: Ales Dolecek
>            Assignee: Claus Ibsen
>              Labels: logging, security
>         Attachments: CAMEL-3980.patch, CAMEL-3980_Refactored_To_UriUtils.patch, CAMEL-3980_Refactored_To_UriUtils_2.patch, CAMEL-3980_UnitTestIncluded.patch
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> The exception thrown by RemoteFilePollingConsumerPollStrategy shows URI and shows password in plaintext. Since we report ERROR and WARN messages from logs to external destinations (SNMP and mail) the password leaves the system and we are loosing control over its spread across enterprise. I decided to mark this as major issue since it is security related. I have found other issue #CAMEL-3099 related to cleartext passwords in log files. It is closed however - don't know if I should try to reopen it.
> Here is sample log (the username and password parameters were altered):
> 2011-05-16 22:35:07,210 WARN  [FtpConsumer] File operation failed:  Software caused connection abort: socket write error. Code: 250
> 2011-05-16 22:35:07,210 WARN  [RemoteFilePollingConsumerPollStrategy] Consumer Consumer[ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount] could not poll endpoint: ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount caused by: File operation failed:  Software caused connection abort: recv failed. Code: 250
> org.apache.camel.component.file.GenericFileOperationFailedException: File operation failed:  Software caused connection abort: recv failed. Code: 250
> 	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:548)
> 	at org.apache.camel.component.file.remote.FtpConsumer.pollDirectory(FtpConsumer.java:43)
> 	at org.apache.camel.component.file.GenericFileConsumer.poll(GenericFileConsumer.java:83)
> 	at org.apache.camel.impl.ScheduledPollConsumer.run(ScheduledPollConsumer.java:97)
> 	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
> 	at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)
> 	at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(Unknown Source)
> 	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
> 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> 	at java.lang.Thread.run(Unknown Source) Caused by: java.net.SocketException: Software caused connection abort: recv failed
> 	at java.net.SocketInputStream.socketRead0(Native Method)
> 	at java.net.SocketInputStream.read(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
> 	at sun.nio.cs.StreamDecoder.read(Unknown Source)
> 	at java.io.InputStreamReader.read(Unknown Source)
> 	at java.io.BufferedReader.fill(Unknown Source)
> 	at java.io.BufferedReader.readLine(Unknown Source)
> 	at java.io.BufferedReader.readLine(Unknown Source)
> 	at org.apache.commons.net.ftp.FTP.__getReply(FTP.java:294)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:490)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:534)
> 	at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:583)
> 	at org.apache.commons.net.ftp.FTP.pwd(FTP.java:1270)
> 	at org.apache.commons.net.ftp.FTPClient.printWorkingDirectory(FTPClient.java:1800)
> 	at org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:546)
> 	... 12 more
> Ales

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira