DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25186>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25186 Security problem, BasicDataSource class Summary: Security problem, BasicDataSource class Product: Commons Version: 1.1 Final Platform: All OS/Version: All Status: NEW Severity: Enhancement Priority: Other Component: Dbcp AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] In class org.apache.commons.dbcp.BasicDataSource there is a PUBLIC method "getPassword()". This is a critical security problem: If DBCP is used in Tomcat, a Tomcat admin will setup JNDI-Datasources. The deployer of a webapp should not know anything about the Datasource details especially not the password! Some developer could easy call "getPassword()" to hack the database. As a first solution "getPassword()" could be rewritten to always return "null" (later it could be removed), second the instance field "password" should change from "protected" to "private". --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]