Thrown exception reveals passwords
----------------------------------
Key: VFS-169
URL: https://issues.apache.org/jira/browse/VFS-169
Project: Commons VFS
Issue Type: Bug
Affects Versions: 1.0
Reporter: Joerg Schaible
If an exception occurs accessing a FileObject on a FileSystem that is addressed
with an URL containing user and password the thrown exception contains the
password as part of the error message:
org.apache.commons.vfs.FileSystemException: Could not connect to SFTP server at
"sftp://user:[EMAIL PROTECTED]/".
In such a case the URL should be printed as "sftp://user:[EMAIL PROTECTED]/".
Same applied to log messages - at least for INFO and higher.
This is a security risk, since in big companies exceptions and logs are
normally collected and archived in monitoring systems and may reveal the
password to persons that have normally no authorization to the target system.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
