passwords and other private data contained in URIs should not be logged in
plaintext
------------------------------------------------------------------------------------
Key: CAMEL-3099
URL: https://issues.apache.org/activemq/browse/CAMEL-3099
Project: Apache Camel
Issue Type: Improvement
Components: camel-core
Reporter: Lorrin Nelson
Priority: Minor
URIs with sensitive data are common and that URIs are frequently logged. I
bumped into this myself most recently with an FTP consumer. I ended up with log
messages like this:
RemoteFileProducer 2010-08-31 16:21:45,459 -- INFO -- Connected and logged in
to:
Endpoint[sftp://myusern...@my.host.name/var/my/path?fileName=myFile.txt&password=yikesMyPassword]
I propose a sane-defaults patch of modifying DefaultEndoint.java's toString to
sanitize the URI by looking for URI params containing the tokens "password" or
"passphrase" and rendering their value as "*******" instead of the actual
value. Obviously this isn't always the right thing to do in every situation,
but it seems appropriate for many endpoints. Any for which it is not
appropriate could override toString.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
