• Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.0
    • Fix Version/s: 2.0
    • Labels:


      If an exception occurs accessing a FileObject on a FileSystem that is addressed with an URL containing user and password the thrown exception contains the password as part of the error message:

      org.apache.commons.vfs.FileSystemException: Could not connect to SFTP server at "s".

      In such a case the URL should be printed as "sftp://user:***". Same applied to log messages - at least for INFO and higher.

      This is a security risk, since in big companies exceptions and logs are normally collected and archived in monitoring systems and may reveal the password to persons that have normally no authorization to the target system.

      1. vfs-pwd.patch
        4 kB
        Frank van der Kleij


        Joerg Schaible created issue -
        Frank van der Kleij made changes -
        Field Original Value New Value
        Attachment vfs-pwd.patch [ 12396850 ]
        Frank van der Kleij made changes -
        Attachment vfs-pwd.patch [ 12396850 ]
        Frank van der Kleij made changes -
        Comment [ This is a quick fix that avoids getting a password, or the password mask, in the output. I would prefer to refactor all code to remove the superfluous parameter but that has a big impact, so it requires some input from the maintainers. ]
        Frank van der Kleij made changes -
        Attachment vfs-pwd.patch [ 12397051 ]
        Joerg Schaible made changes -
        Assignee Joerg Schaible [ joehni ]
        Joerg Schaible made changes -
        Resolution Fixed [ 1 ]
        Status Open [ 1 ] Resolved [ 5 ]
        Fix Version/s 2.0 [ 12313174 ]


          • Assignee:
            Joerg Schaible
            Joerg Schaible
          • Votes:
            1 Vote for this issue
            0 Start watching this issue


            • Created: