Uploaded image for project: 'Directory Client API'
  1. Directory Client API
  2. DIRAPI-197

When dumping a BindRequest, the password is exposed

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 1.0.0-M23
    • Fix Version/s: 1.0.0-M24
    • Labels:
      None

      Description

      The BindRequestImpl.toString() metjod does print the password when in Simple mode (it's not the case when using SASL) :

                  if ( isSimple )
                  {
                      sb.append( "        Simple authentication : '" ).append( Strings.utf8ToString( credentials ) )
                          .append( '/' ).append( Strings.dumpBytes( credentials ) ).append( "'\n" );
                  }
                  else
                  {
                      sb.append( "        Sasl credentials\n" );
                      sb.append( "            Mechanism :'" ).append( mechanism ).append( "'\n" );
      
                      if ( credentials == null )
                      {
                          sb.append( "            Credentials : null" );
                      }
                      else
                      {
                          sb.append( "            Credentials : (omitted-for-safety)" );
                      }
      

      This is absolutely wrong...

        Attachments

          Activity

            People

            • Assignee:
              elecharny Emmanuel Lecharny
              Reporter:
              elecharny Emmanuel Lecharny
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: