[ https://issues.apache.org/jira/browse/VFS-169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688664#action_12688664 ]
Sergey Vladimirov commented on VFS-169: --------------------------------------- Joerg, Seems we have duplication of functionality now: - GenericFileName has getSafeURI() method - FileName & AbstractFileName have getFriendlyURI() method As for me, only getFriendlyURI() was okay (may be using *** to replace password should be added), and this (and only this) method should be used for toString() method. Also AbstractFileObject should be changed to use "safe" URI in toString() > Thrown exception reveals passwords > ---------------------------------- > > Key: VFS-169 > URL: https://issues.apache.org/jira/browse/VFS-169 > Project: Commons VFS > Issue Type: Bug > Affects Versions: 1.0 > Reporter: Joerg Schaible > Assignee: Joerg Schaible > Fix For: 2.0 > > Attachments: vfs-pwd.patch > > > If an exception occurs accessing a FileObject on a FileSystem that is > addressed with an URL containing user and password the thrown exception > contains the password as part of the error message: > org.apache.commons.vfs.FileSystemException: Could not connect to SFTP server > at "sftp://user:passw...@apache.org/". > In such a case the URL should be printed as "sftp://user:*...@apache.org/". > Same applied to log messages - at least for INFO and higher. > This is a security risk, since in big companies exceptions and logs are > normally collected and archived in monitoring systems and may reveal the > password to persons that have normally no authorization to the target system. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.