Uploaded image for project: 'Directory Client API'
  1. Directory Client API
  2. DIRAPI-197

When dumping a BindRequest, the password is exposed

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • 1.0.0-M23
    • 1.0.0-M24
    • None

    Description

      The BindRequestImpl.toString() metjod does print the password when in Simple mode (it's not the case when using SASL) :

                  if ( isSimple )
                  {
                      sb.append( "        Simple authentication : '" ).append( Strings.utf8ToString( credentials ) )
                          .append( '/' ).append( Strings.dumpBytes( credentials ) ).append( "'\n" );
                  }
                  else
                  {
                      sb.append( "        Sasl credentials\n" );
                      sb.append( "            Mechanism :'" ).append( mechanism ).append( "'\n" );
      
                      if ( credentials == null )
                      {
                          sb.append( "            Credentials : null" );
                      }
                      else
                      {
                          sb.append( "            Credentials : (omitted-for-safety)" );
                      }
      

      This is absolutely wrong...

      Attachments

        Activity

          People

            elecharny Emmanuel Lécharny
            elecharny Emmanuel Lécharny
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: