[DIRAPI-197] When dumping a BindRequest, the password is exposed - ASF JIRA

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 1.0.0-M23
Fix Version/s: 1.0.0-M24
Labels:
None

Description

The BindRequestImpl.toString() metjod does print the password when in Simple mode (it's not the case when using SASL) :

            if ( isSimple )
            {
                sb.append( "        Simple authentication : '" ).append( Strings.utf8ToString( credentials ) )
                    .append( '/' ).append( Strings.dumpBytes( credentials ) ).append( "'\n" );
            }
            else
            {
                sb.append( "        Sasl credentials\n" );
                sb.append( "            Mechanism :'" ).append( mechanism ).append( "'\n" );

                if ( credentials == null )
                {
                    sb.append( "            Credentials : null" );
                }
                else
                {
                    sb.append( "            Credentials : (omitted-for-safety)" );
                }

This is absolutely wrong...

Activity

Ascending order - Click to sort in descending order

Emmanuel Lecharny created issue - 23/Jul/14 17:09

Emmanuel Lecharny made changes - 23/Jul/14 17:10

Field	Original Value	New Value
Description	The BindRequestImpl.toString() metjod does print the password when in Simple mode (it's not the case when using SASL) : if ( isSimple ) { sb.append( " Simple authentication : '" ).append( Strings.utf8ToString( credentials ) ) .append( '/' ).append( Strings.dumpBytes( credentials ) ).append( "'\n" ); } else { sb.append( " Sasl credentials\n" ); sb.append( " Mechanism :'" ).append( mechanism ).append( "'\n" ); if ( credentials == null ) { sb.append( " Credentials : null" ); } else { sb.append( " Credentials : (omitted-for-safety)" ); } This is absolutely wrong...	The BindRequestImpl.toString() metjod does print the password when in Simple mode (it's not the case when using SASL) : {code:java} if ( isSimple ) { sb.append( " Simple authentication : '" ).append( Strings.utf8ToString( credentials ) ) .append( '/' ).append( Strings.dumpBytes( credentials ) ).append( "'\n" ); } else { sb.append( " Sasl credentials\n" ); sb.append( " Mechanism :'" ).append( mechanism ).append( "'\n" ); if ( credentials == null ) { sb.append( " Credentials : null" ); } else { sb.append( " Credentials : (omitted-for-safety)" ); } {code} This is absolutely wrong...

Hide

Permalink

Emmanuel Lecharny added a comment - 29/Jul/14 05:14

Fixed with http://svn.apache.org/r1612859

Show

Emmanuel Lecharny added a comment - 29/Jul/14 05:14 Fixed with http://svn.apache.org/r1612859

Emmanuel Lecharny made changes - 29/Jul/14 05:14

Status	Open [ 1 ]	Resolved [ 5 ]
Resolution		Fixed [ 1 ]

Hide

Permalink

Emmanuel Lecharny added a comment - 08/Jan/15 17:17

Closing the resolved issues.

Show

Emmanuel Lecharny added a comment - 08/Jan/15 17:17 Closing the resolved issues.

Emmanuel Lecharny made changes - 08/Jan/15 17:17

Status	Resolved [ 5 ]	Closed [ 6 ]
Assignee		Emmanuel Lecharny [ elecharny ]

People

Assignee:

Emmanuel Lecharny

Reporter:

Emmanuel Lecharny

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

23/Jul/14 17:09

Updated:

08/Jan/15 17:17

Resolved:

29/Jul/14 05:14

Development

Agile

View on Board