[
https://issues.apache.org/jira/browse/VFS-169?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Frank updated VFS-169:
----------------------
Attachment: vfs-pwd.patch
This patch is a very local fix, that only changes the toString() method. I
would prefer that the password would not be returned on methods like getURI
either, but this has big implications on the whole URI parsing. The TODO in
DefaultFileSystemManager.resolveName(FileName,String,NameScope) first has to be
implemented to allow the URI parser to work on relative paths.
> Thrown exception reveals passwords
> ----------------------------------
>
> Key: VFS-169
> URL: https://issues.apache.org/jira/browse/VFS-169
> Project: Commons VFS
> Issue Type: Bug
> Affects Versions: 1.0
> Reporter: Joerg Schaible
> Attachments: vfs-pwd.patch
>
>
> If an exception occurs accessing a FileObject on a FileSystem that is
> addressed with an URL containing user and password the thrown exception
> contains the password as part of the error message:
> org.apache.commons.vfs.FileSystemException: Could not connect to SFTP server
> at "sftp://user:passw...@apache.org/";.
> In such a case the URL should be printed as "sftp://user:*...@apache.org/";.
> Same applied to log messages - at least for INFO and higher.
> This is a security risk, since in big companies exceptions and logs are
> normally collected and archived in monitoring systems and may reveal the
> password to persons that have normally no authorization to the target system.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
