You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by bu...@apache.org on 2003/12/04 00:47:36 UTC
DO NOT REPLY [Bug 25186] New: -
Security problem, BasicDataSource class
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25186>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25186
Security problem, BasicDataSource class
Summary: Security problem, BasicDataSource class
Product: Commons
Version: 1.1 Final
Platform: All
OS/Version: All
Status: NEW
Severity: Enhancement
Priority: Other
Component: Dbcp
AssignedTo: commons-dev@jakarta.apache.org
ReportedBy: gernot.pfingstl@stmk.gv.at
In class org.apache.commons.dbcp.BasicDataSource there is a PUBLIC
method "getPassword()". This is a critical security problem: If DBCP is used in
Tomcat, a Tomcat admin will setup JNDI-Datasources. The deployer of a webapp
should not know anything about the Datasource details especially not the
password! Some developer could easy call "getPassword()" to hack the database.
As a first solution "getPassword()" could be rewritten to always return "null"
(later it could be removed), second the instance field "password" should change
from "protected" to "private".
---------------------------------------------------------------------
To unsubscribe, e-mail: commons-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: commons-dev-help@jakarta.apache.org