Directory Client API
  1. Directory Client API
  2. DIRAPI-197

When dumping a BindRequest, the password is exposed

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 1.0.0-M23
    • Fix Version/s: 1.0.0-M24
    • Labels:
      None

      Description

      The BindRequestImpl.toString() metjod does print the password when in Simple mode (it's not the case when using SASL) :

                  if ( isSimple )
                  {
                      sb.append( "        Simple authentication : '" ).append( Strings.utf8ToString( credentials ) )
                          .append( '/' ).append( Strings.dumpBytes( credentials ) ).append( "'\n" );
                  }
                  else
                  {
                      sb.append( "        Sasl credentials\n" );
                      sb.append( "            Mechanism :'" ).append( mechanism ).append( "'\n" );
      
                      if ( credentials == null )
                      {
                          sb.append( "            Credentials : null" );
                      }
                      else
                      {
                          sb.append( "            Credentials : (omitted-for-safety)" );
                      }
      

      This is absolutely wrong...

        Activity

        Emmanuel Lecharny created issue -
        Emmanuel Lecharny made changes -
        Field Original Value New Value
        Description The BindRequestImpl.toString() metjod does print the password when in Simple mode (it's not the case when using SASL) :

                    if ( isSimple )
                    {
                        sb.append( " Simple authentication : '" ).append( Strings.utf8ToString( credentials ) )
                            .append( '/' ).append( Strings.dumpBytes( credentials ) ).append( "'\n" );
                    }
                    else
                    {
                        sb.append( " Sasl credentials\n" );
                        sb.append( " Mechanism :'" ).append( mechanism ).append( "'\n" );

                        if ( credentials == null )
                        {
                            sb.append( " Credentials : null" );
                        }
                        else
                        {
                            sb.append( " Credentials : (omitted-for-safety)" );
                        }

        This is absolutely wrong...
        The BindRequestImpl.toString() metjod does print the password when in Simple mode (it's not the case when using SASL) :

        {code:java}
                    if ( isSimple )
                    {
                        sb.append( " Simple authentication : '" ).append( Strings.utf8ToString( credentials ) )
                            .append( '/' ).append( Strings.dumpBytes( credentials ) ).append( "'\n" );
                    }
                    else
                    {
                        sb.append( " Sasl credentials\n" );
                        sb.append( " Mechanism :'" ).append( mechanism ).append( "'\n" );

                        if ( credentials == null )
                        {
                            sb.append( " Credentials : null" );
                        }
                        else
                        {
                            sb.append( " Credentials : (omitted-for-safety)" );
                        }
        {code}

        This is absolutely wrong...
        Hide
        Emmanuel Lecharny added a comment -
        Show
        Emmanuel Lecharny added a comment - Fixed with http://svn.apache.org/r1612859
        Emmanuel Lecharny made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Hide
        Emmanuel Lecharny added a comment -

        Closing the resolved issues.

        Show
        Emmanuel Lecharny added a comment - Closing the resolved issues.
        Emmanuel Lecharny made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Assignee Emmanuel Lecharny [ elecharny ]
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Resolved Resolved
        5d 12h 5m 1 Emmanuel Lecharny 29/Jul/14 05:14
        Resolved Resolved Closed Closed
        163d 13h 2m 1 Emmanuel Lecharny 08/Jan/15 17:17

          People

          • Assignee:
            Emmanuel Lecharny
            Reporter:
            Emmanuel Lecharny
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development