[DIRAPI-197] When dumping a BindRequest, the password is exposed - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 1.0.0-M23
Fix Version/s: 1.0.0-M24
Labels:
None

Description

The BindRequestImpl.toString() metjod does print the password when in Simple mode (it's not the case when using SASL) :

            if ( isSimple )
            {
                sb.append( "        Simple authentication : '" ).append( Strings.utf8ToString( credentials ) )
                    .append( '/' ).append( Strings.dumpBytes( credentials ) ).append( "'\n" );
            }
            else
            {
                sb.append( "        Sasl credentials\n" );
                sb.append( "            Mechanism :'" ).append( mechanism ).append( "'\n" );

                if ( credentials == null )
                {
                    sb.append( "            Credentials : null" );
                }
                else
                {
                    sb.append( "            Credentials : (omitted-for-safety)" );
                }

This is absolutely wrong...

Attachments

Activity

People

Assignee:: Emmanuel Lécharny

Reporter:: Emmanuel Lécharny

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 23/Jul/14 16:09

Updated:: 08/Jan/15 17:17

Resolved:: 29/Jul/14 04:14