[
https://issues.apache.org/jira/browse/VFS-169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688664#action_12688664
]
Sergey Vladimirov commented on VFS-169:
---------------------------------------
Joerg,
Seems we have duplication of functionality now:
- GenericFileName has getSafeURI() method
- FileName & AbstractFileName have getFriendlyURI() method
As for me, only getFriendlyURI() was okay (may be using *** to replace password
should be added), and this (and only this) method should be used for toString()
method.
Also AbstractFileObject should be changed to use "safe" URI in toString()
> Thrown exception reveals passwords
> ----------------------------------
>
> Key: VFS-169
> URL: https://issues.apache.org/jira/browse/VFS-169
> Project: Commons VFS
> Issue Type: Bug
> Affects Versions: 1.0
> Reporter: Joerg Schaible
> Assignee: Joerg Schaible
> Fix For: 2.0
>
> Attachments: vfs-pwd.patch
>
>
> If an exception occurs accessing a FileObject on a FileSystem that is
> addressed with an URL containing user and password the thrown exception
> contains the password as part of the error message:
> org.apache.commons.vfs.FileSystemException: Could not connect to SFTP server
> at "sftp://user:passw...@apache.org/";.
> In such a case the URL should be printed as "sftp://user:*...@apache.org/";.
> Same applied to log messages - at least for INFO and higher.
> This is a security risk, since in big companies exceptions and logs are
> normally collected and archived in monitoring systems and may reveal the
> password to persons that have normally no authorization to the target system.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
