[ https://issues.apache.org/jira/browse/VFS-169?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Frank updated VFS-169: ---------------------- Attachment: vfs-pwd.patch This patch is a very local fix, that only changes the toString() method. I would prefer that the password would not be returned on methods like getURI either, but this has big implications on the whole URI parsing. The TODO in DefaultFileSystemManager.resolveName(FileName,String,NameScope) first has to be implemented to allow the URI parser to work on relative paths. > Thrown exception reveals passwords > ---------------------------------- > > Key: VFS-169 > URL: https://issues.apache.org/jira/browse/VFS-169 > Project: Commons VFS > Issue Type: Bug > Affects Versions: 1.0 > Reporter: Joerg Schaible > Attachments: vfs-pwd.patch > > > If an exception occurs accessing a FileObject on a FileSystem that is > addressed with an URL containing user and password the thrown exception > contains the password as part of the error message: > org.apache.commons.vfs.FileSystemException: Could not connect to SFTP server > at "sftp://user:passw...@apache.org/". > In such a case the URL should be printed as "sftp://user:*...@apache.org/". > Same applied to log messages - at least for INFO and higher. > This is a security risk, since in big companies exceptions and logs are > normally collected and archived in monitoring systems and may reveal the > password to persons that have normally no authorization to the target system. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.