[jira] [Updated] (DIRAPI-197) When dumping a BindRequest, the password is exposed

Emmanuel Lecharny (JIRA) Wed, 23 Jul 2014 09:12:12 -0700

     [ 
https://issues.apache.org/jira/browse/DIRAPI-197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Emmanuel Lecharny updated DIRAPI-197:
-------------------------------------

    Description: 
The BindRequestImpl.toString() metjod does print the password when in Simple 
mode (it's not the case when using SASL) :

{code:java}
            if ( isSimple )
            {
                sb.append( "        Simple authentication : '" ).append( 
Strings.utf8ToString( credentials ) )
                    .append( '/' ).append( Strings.dumpBytes( credentials ) 
).append( "'\n" );
            }
            else
            {
                sb.append( "        Sasl credentials\n" );
                sb.append( "            Mechanism :'" ).append( mechanism 
).append( "'\n" );

                if ( credentials == null )
                {
                    sb.append( "            Credentials : null" );
                }
                else
                {
                    sb.append( "            Credentials : (omitted-for-safety)" 
);
                }
{code}

This is absolutely wrong...

  was:
The BindRequestImpl.toString() metjod does print the password when in Simple 
mode (it's not the case when using SASL) :

            if ( isSimple )
            {
                sb.append( "        Simple authentication : '" ).append( 
Strings.utf8ToString( credentials ) )
                    .append( '/' ).append( Strings.dumpBytes( credentials ) 
).append( "'\n" );
            }
            else
            {
                sb.append( "        Sasl credentials\n" );
                sb.append( "            Mechanism :'" ).append( mechanism 
).append( "'\n" );

                if ( credentials == null )
                {
                    sb.append( "            Credentials : null" );
                }
                else
                {
                    sb.append( "            Credentials : (omitted-for-safety)" 
);
                }

This is absolutely wrong...


> When dumping a BindRequest, the password is exposed
> ---------------------------------------------------
>
>                 Key: DIRAPI-197
>                 URL: https://issues.apache.org/jira/browse/DIRAPI-197
>             Project: Directory Client API
>          Issue Type: Bug
>    Affects Versions: 1.0.0-M23
>            Reporter: Emmanuel Lecharny
>            Priority: Blocker
>             Fix For: 1.0.0-M24
>
>
> The BindRequestImpl.toString() metjod does print the password when in Simple 
> mode (it's not the case when using SASL) :
> {code:java}
>             if ( isSimple )
>             {
>                 sb.append( "        Simple authentication : '" ).append( 
> Strings.utf8ToString( credentials ) )
>                     .append( '/' ).append( Strings.dumpBytes( credentials ) 
> ).append( "'\n" );
>             }
>             else
>             {
>                 sb.append( "        Sasl credentials\n" );
>                 sb.append( "            Mechanism :'" ).append( mechanism 
> ).append( "'\n" );
>                 if ( credentials == null )
>                 {
>                     sb.append( "            Credentials : null" );
>                 }
>                 else
>                 {
>                     sb.append( "            Credentials : 
> (omitted-for-safety)" );
>                 }
> {code}
> This is absolutely wrong...



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Updated] (DIRAPI-197) When dumping a BindRequest, the password is exposed

Reply via email to