[
https://issues.apache.org/jira/browse/CAMEL-3980?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Claus Ibsen updated CAMEL-3980:
-------------------------------
Description:
The exception thrown by RemoteFilePollingConsumerPollStrategy shows URI and
shows password in plaintext. Since we report ERROR and WARN messages from logs
to external destinations (SNMP and mail) the password leaves the system and we
are loosing control over its spread across enterprise. I decided to mark this
as major issue since it is security related. I have found other issue
#CAMEL-3099 related to cleartext passwords in log files. It is closed however -
don't know if I should try to reopen it.
Here is sample log (the username and password parameters were altered):
{code}
2011-05-16 22:35:07,210 WARN [FtpConsumer] File operation failed: Software
caused connection abort: socket write error. Code: 250
2011-05-16 22:35:07,210 WARN [RemoteFilePollingConsumerPollStrategy] Consumer
Consumer[ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount]
could not poll endpoint:
ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount
caused by: File operation failed: Software caused connection abort: recv
failed. Code: 250
org.apache.camel.component.file.GenericFileOperationFailedException: File
operation failed: Software caused connection abort: recv failed. Code: 250
at
org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:548)
at
org.apache.camel.component.file.remote.FtpConsumer.pollDirectory(FtpConsumer.java:43)
at
org.apache.camel.component.file.GenericFileConsumer.poll(GenericFileConsumer.java:83)
at
org.apache.camel.impl.ScheduledPollConsumer.run(ScheduledPollConsumer.java:97)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)
at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(Unknown
Source)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(Unknown
Source)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown
Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown
Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source) Caused by:
java.net.SocketException: Software caused connection abort: recv failed
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(Unknown Source)
at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
at sun.nio.cs.StreamDecoder.read(Unknown Source)
at java.io.InputStreamReader.read(Unknown Source)
at java.io.BufferedReader.fill(Unknown Source)
at java.io.BufferedReader.readLine(Unknown Source)
at java.io.BufferedReader.readLine(Unknown Source)
at org.apache.commons.net.ftp.FTP.__getReply(FTP.java:294)
at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:490)
at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:534)
at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:583)
at org.apache.commons.net.ftp.FTP.pwd(FTP.java:1270)
at
org.apache.commons.net.ftp.FTPClient.printWorkingDirectory(FTPClient.java:1800)
at
org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:546)
... 12 more
{code}
Ales
was:
The exception thrown by RemoteFilePollingConsumerPollStrategy shows URI and
shows password in plaintext. Since we report ERROR and WARN messages from logs
to external destinations (SNMP and mail) the password leaves the system and we
are loosing control over its spread across enterprise. I decided to mark this
as major issue since it is security related. I have found other issue
#CAMEL-3099 related to cleartext passwords in log files. It is closed however -
don't know if I should try to reopen it.
Here is sample log (the username and password parameters were altered):
2011-05-16 22:35:07,210 WARN [FtpConsumer] File operation failed: Software
caused connection abort: socket write error. Code: 250
2011-05-16 22:35:07,210 WARN [RemoteFilePollingConsumerPollStrategy] Consumer
Consumer[ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount]
could not poll endpoint:
ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount
caused by: File operation failed: Software caused connection abort: recv
failed. Code: 250
org.apache.camel.component.file.GenericFileOperationFailedException: File
operation failed: Software caused connection abort: recv failed. Code: 250
at
org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:548)
at
org.apache.camel.component.file.remote.FtpConsumer.pollDirectory(FtpConsumer.java:43)
at
org.apache.camel.component.file.GenericFileConsumer.poll(GenericFileConsumer.java:83)
at
org.apache.camel.impl.ScheduledPollConsumer.run(ScheduledPollConsumer.java:97)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)
at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(Unknown
Source)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(Unknown
Source)
at
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown
Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown
Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source) Caused by:
java.net.SocketException: Software caused connection abort: recv failed
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(Unknown Source)
at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
at sun.nio.cs.StreamDecoder.read(Unknown Source)
at java.io.InputStreamReader.read(Unknown Source)
at java.io.BufferedReader.fill(Unknown Source)
at java.io.BufferedReader.readLine(Unknown Source)
at java.io.BufferedReader.readLine(Unknown Source)
at org.apache.commons.net.ftp.FTP.__getReply(FTP.java:294)
at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:490)
at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:534)
at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:583)
at org.apache.commons.net.ftp.FTP.pwd(FTP.java:1270)
at
org.apache.commons.net.ftp.FTPClient.printWorkingDirectory(FTPClient.java:1800)
at
org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:546)
... 12 more
Ales
Fix Version/s: 2.8.0
> Exception message contains plaintext password
> ---------------------------------------------
>
> Key: CAMEL-3980
> URL: https://issues.apache.org/jira/browse/CAMEL-3980
> Project: Camel
> Issue Type: Improvement
> Components: camel-ftp
> Affects Versions: 2.6.0
> Environment: Configured via Spring
> Reporter: Ales Dolecek
> Assignee: Claus Ibsen
> Labels: logging, security
> Fix For: 2.8.0
>
> Attachments: CAMEL-3980.patch,
> CAMEL-3980_Refactored_To_UriUtils.patch,
> CAMEL-3980_Refactored_To_UriUtils_2.patch, CAMEL-3980_UnitTestIncluded.patch
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> The exception thrown by RemoteFilePollingConsumerPollStrategy shows URI and
> shows password in plaintext. Since we report ERROR and WARN messages from
> logs to external destinations (SNMP and mail) the password leaves the system
> and we are loosing control over its spread across enterprise. I decided to
> mark this as major issue since it is security related. I have found other
> issue #CAMEL-3099 related to cleartext passwords in log files. It is closed
> however - don't know if I should try to reopen it.
> Here is sample log (the username and password parameters were altered):
> {code}
> 2011-05-16 22:35:07,210 WARN [FtpConsumer] File operation failed: Software
> caused connection abort: socket write error. Code: 250
> 2011-05-16 22:35:07,210 WARN [RemoteFilePollingConsumerPollStrategy]
> Consumer
> Consumer[ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount]
> could not poll endpoint:
> ftp://172.23.224.92//usr4/account?binary=true&delay=900000&filter=%23taxFileFilter&idempotentRepository=%23dac1Checker&maxMessagesPerPoll=1&noop=true&password=myPassword&username=myAccount
> caused by: File operation failed: Software caused connection abort: recv
> failed. Code: 250
> org.apache.camel.component.file.GenericFileOperationFailedException: File
> operation failed: Software caused connection abort: recv failed. Code: 250
> at
> org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:548)
> at
> org.apache.camel.component.file.remote.FtpConsumer.pollDirectory(FtpConsumer.java:43)
> at
> org.apache.camel.component.file.GenericFileConsumer.poll(GenericFileConsumer.java:83)
> at
> org.apache.camel.impl.ScheduledPollConsumer.run(ScheduledPollConsumer.java:97)
> at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
> at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)
> at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
> at
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(Unknown
> Source)
> at
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(Unknown
> Source)
> at
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown
> Source)
> at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown
> Source)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> at java.lang.Thread.run(Unknown Source) Caused by:
> java.net.SocketException: Software caused connection abort: recv failed
> at java.net.SocketInputStream.socketRead0(Native Method)
> at java.net.SocketInputStream.read(Unknown Source)
> at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
> at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
> at sun.nio.cs.StreamDecoder.read(Unknown Source)
> at java.io.InputStreamReader.read(Unknown Source)
> at java.io.BufferedReader.fill(Unknown Source)
> at java.io.BufferedReader.readLine(Unknown Source)
> at java.io.BufferedReader.readLine(Unknown Source)
> at org.apache.commons.net.ftp.FTP.__getReply(FTP.java:294)
> at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:490)
> at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:534)
> at org.apache.commons.net.ftp.FTP.sendCommand(FTP.java:583)
> at org.apache.commons.net.ftp.FTP.pwd(FTP.java:1270)
> at
> org.apache.commons.net.ftp.FTPClient.printWorkingDirectory(FTPClient.java:1800)
> at
> org.apache.camel.component.file.remote.FtpOperations.getCurrentDirectory(FtpOperations.java:546)
> ... 12 more
> {code}
> Ales
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
