[
https://issues.apache.org/jira/browse/VFS-169?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Frank updated VFS-169:
----------------------
Attachment: vfs-pwd.patch
This is a quick fix that avoids getting a password, or the password mask, in
the output. I would prefer to refactor all code to remove the superfluous
parameter but that has a big impact, so it requires some input from the
maintainers.
> Thrown exception reveals passwords
> ----------------------------------
>
> Key: VFS-169
> URL: https://issues.apache.org/jira/browse/VFS-169
> Project: Commons VFS
> Issue Type: Bug
> Affects Versions: 1.0
> Reporter: Joerg Schaible
> Attachments: vfs-pwd.patch
>
>
> If an exception occurs accessing a FileObject on a FileSystem that is
> addressed with an URL containing user and password the thrown exception
> contains the password as part of the error message:
> org.apache.commons.vfs.FileSystemException: Could not connect to SFTP server
> at "sftp://user:passw...@apache.org/";.
> In such a case the URL should be printed as "sftp://user:*...@apache.org/";.
> Same applied to log messages - at least for INFO and higher.
> This is a security risk, since in big companies exceptions and logs are
> normally collected and archived in monitoring systems and may reveal the
> password to persons that have normally no authorization to the target system.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
