[jira] [Created] (DIRAPI-197) When dumping a BindRequest, the password is exposed

Emmanuel Lecharny (JIRA) Wed, 23 Jul 2014 09:12:12 -0700

Emmanuel Lecharny created DIRAPI-197:
----------------------------------------


             Summary: When dumping a BindRequest, the password is exposed
                 Key: DIRAPI-197
                 URL: https://issues.apache.org/jira/browse/DIRAPI-197
             Project: Directory Client API
          Issue Type: Bug
    Affects Versions: 1.0.0-M23
            Reporter: Emmanuel Lecharny
            Priority: Blocker
             Fix For: 1.0.0-M24


The BindRequestImpl.toString() metjod does print the password when in Simple 
mode (it's not the case when using SASL) :

            if ( isSimple )
            {
                sb.append( "        Simple authentication : '" ).append( 
Strings.utf8ToString( credentials ) )
                    .append( '/' ).append( Strings.dumpBytes( credentials ) 
).append( "'\n" );
            }
            else
            {
                sb.append( "        Sasl credentials\n" );
                sb.append( "            Mechanism :'" ).append( mechanism 
).append( "'\n" );

                if ( credentials == null )
                {
                    sb.append( "            Credentials : null" );
                }
                else
                {
                    sb.append( "            Credentials : (omitted-for-safety)" 
);
                }

This is absolutely wrong...



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Created] (DIRAPI-197) When dumping a BindRequest, the password is exposed

Reply via email to