Uploaded image for project: 'Commons VFS'
  1. Commons VFS
  2. VFS-169

Thrown exception reveals passwords

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.0
    • Fix Version/s: 2.0
    • Labels:
      None

      Description

      If an exception occurs accessing a FileObject on a FileSystem that is addressed with an URL containing user and password the thrown exception contains the password as part of the error message:

      org.apache.commons.vfs.FileSystemException: Could not connect to SFTP server at "sftp://user:password@apache.org/".

      In such a case the URL should be printed as "sftp://user:***@apache.org/". Same applied to log messages - at least for INFO and higher.

      This is a security risk, since in big companies exceptions and logs are normally collected and archived in monitoring systems and may reveal the password to persons that have normally no authorization to the target system.

        Attachments

        1. vfs-pwd.patch
          4 kB
          Frank van der Kleij

          Activity

            People

            • Assignee:
              joehni Joerg Schaible
              Reporter:
              joehni Joerg Schaible
            • Votes:
              1 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: