Exception message contains plaintext password
---------------------------------------------
Key: CAMEL-3980
URL: https://issues.apache.org/jira/browse/CAMEL-3980
Project: Camel
Issue Type: Improvement
Components: camel-ftp
Affects Versions: 2.6.0
Environment: Configured via Spring
Reporter: Ales Dolecek
The exception thrown by RemoteFilePollingConsumerPollStrategy shows URI and
shows password in plaintext. Since we report ERROR and WARN messages from logs
to external destinations (SNMP and mail) the password leaves the system and we
are loosing control over its spread across enterprise. I decided to mark this
as major issue since it is security related. I have found other issue
#CAMEL-3099 related to cleartext passwords in log files. It is closed however -
don't know if I should try to reopen it.
Here is sample log (the username and password parameters were altered):
2011-05-16 22:35:07,210 WARN [FtpConsumer] File operation failed: Software
caused connection abort: socket write error. Code: 250
2011-05-16 22:35:07,210 WARN [RemoteFilePollingConsumerPollStrategy] Consumer
Consumer[ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount]
could not poll endpoint:
ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount
caused by: File operation failed: Software caused connection abort: recv
failed. Code: 250
org.apache.camel.component.file.GenericFileOperationFailedException: File
operation failed: Software caused connection abort: recv failed. Code: 250
at
org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:548)
at
org.apache.camel.component.file.remote.FtpConsumer.pollDirectory(FtpConsumer.java:43)
at
org.apache.camel.component.file.GenericFileConsumer.poll(GenericFileConsumer.java:83)
at
org.apache.camel.impl.ScheduledPollConsumer.run(ScheduledPollConsumer.java:97)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)
at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(Unknown
Source)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(Unknown
Source)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown
Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown
Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source) Caused by:
java.net.SocketException: Software caused connection abort: recv failed
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(Unknown Source)
at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
at sun.nio.cs.StreamDecoder.read(Unknown Source)
at java.io.InputStreamReader.read(Unknown Source)
at java.io.BufferedReader.fill(Unknown Source)
at java.io.BufferedReader.readLine(Unknown Source)
at java.io.BufferedReader.readLine(Unknown Source)
at org.apache.commons.net.ftp.FTP.__getReply(FTP.java:294)
at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:490)
at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:534)
at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:583)
at org.apache.commons.net.ftp.FTP.pwd(FTP.java:1270)
at
org.apache.commons.net.ftp.FTPClient.printWorkingDirectory(FTPClient.java:1800)
at
org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:546)
... 12 more
Ales
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
