[
https://issues.apache.org/jira/browse/VFS-169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12619355#action_12619355
]
kleij edited comment on VFS-169 at 8/3/08 11:52 PM:
----------------------------------------------------
I think too that the password should never ever be revealed once entered; not
in exceptions, nor in other debug messages.
Probably adapting the AbstractFileName.toString to not print the password would
fix most of this. Then the method getFriendlyURI can be deprecated as well.
I have one remark though. I really dislike the format 'scheme://user:[EMAIL
PROTECTED]' where the password is hidden with *** ; it is kind of ugly and I
don't think it serves any purpose to show the ***.
I would rather prefer 'scheme://[EMAIL PROTECTED]' in all cases; it is shorter
and more to the point.
I hope you fix this soon.
In my opinion, when the credentials of the user were not in the URI but have
been given using the Authentication in the FileSystemOptions the username
should also be in the FileName.toString(), which is currently not the case.
was (Author: kleij):
I think too that the password should never ever be revealed once entered;
not in exceptions, nor in other debug messages.
Probably adapting the AbstractFileName.toString to not print the password would
fix most of this. Then the method getFriendlyURI can be deprecated as well.
I have one remark though. I really dislike the format 'scheme://user:[EMAIL
PROTECTED]' where the password is hidden with *** ; it is ugly and I don't
think it serves any purpose to show the ***.
I would rather prefer 'scheme://[EMAIL PROTECTED]' in all cases; it is shorter
and more to the point.
I hope you fix this soon ;-)
> Thrown exception reveals passwords
> ----------------------------------
>
> Key: VFS-169
> URL: https://issues.apache.org/jira/browse/VFS-169
> Project: Commons VFS
> Issue Type: Bug
> Affects Versions: 1.0
> Reporter: Joerg Schaible
>
> If an exception occurs accessing a FileObject on a FileSystem that is
> addressed with an URL containing user and password the thrown exception
> contains the password as part of the error message:
> org.apache.commons.vfs.FileSystemException: Could not connect to SFTP server
> at "sftp://user:[EMAIL PROTECTED]/".
> In such a case the URL should be printed as "sftp://user:[EMAIL PROTECTED]/".
> Same applied to log messages - at least for INFO and higher.
> This is a security risk, since in big companies exceptions and logs are
> normally collected and archived in monitoring systems and may reveal the
> password to persons that have normally no authorization to the target system.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
