From e3cfd675b24bee3d8c572dfc1d3e023b9f8f6353 Mon Sep 17 00:00:00 2001
From: Alex COLLIGNON <colligno@adobe.com>
Date: Wed, 19 Apr 2017 16:15:16 +0200
Subject: [PATCH 1/2] Test information disclosure in debug statement (toString)

---
 .../apache/jackrabbit/vault/fs/api/RepositoryAddressTest.java | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/vault-core/src/test/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddressTest.java b/vault-core/src/test/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddressTest.java
index 94ea935..f44bb9c 100644
--- a/vault-core/src/test/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddressTest.java
+++ b/vault-core/src/test/java/org/apache/jackrabbit/vault/fs/api/RepositoryAddressTest.java
@@ -309,6 +309,15 @@ public class RepositoryAddressTest extends TestCase {
         assertEquals("toString", "http://localhost:8080/-/jcr:root", ra.toString());
     }
 
+    public void testToStringHttpWithUserInfo() throws Exception {
+        String creds = "foo:bar";
+        RepositoryAddress ra =
+            new RepositoryAddress("http://" + creds + "@localhost:8080/-/jcr:root");
+
+        String toString =  ra.toString();
+        assertFalse("toString should not contain credentials [" + toString  + "]", toString.contains(creds));
+    }
+
     public void testRelative() throws Exception {
         RepositoryAddress ra = new RepositoryAddress("/");
         assertEquals("scheme", null, ra.getSpecificURI().getScheme());
@@ -364,4 +373,4 @@ public class RepositoryAddressTest extends TestCase {
         assertEquals("toString", "/-/jcr:root/foo/bar", ra.toString());
     }
 
-}
\ No newline at end of file
+}
-- 
2.12.2