[jira] Closed: (FTPSERVER-120) FtpServer should not log passwords in clear text.

Sun, 06 Apr 2008 12:03:07 -0700 

     [ 
https://issues.apache.org/jira/browse/FTPSERVER-120?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Niklas Gustavsson closed FTPSERVER-120.
---------------------------------------

       Resolution: Fixed
    Fix Version/s: 1.0-M2

Fixed, requires the latest MINA snapshot so make sure Maven upgrades when 
bullding.

commit -m "+ FtpLoggingFilter, specialized LoggingFilter for masking FTP 
password (FTPSERVER-120)" 
/home/niklas/workspaces/apache/ftpserver/core/src/main/java/org/apache/ftpserver/filesystem/NativeFileSystemManager.java
 
/home/niklas/workspaces/apache/ftpserver/core/src/main/java/org/apache/ftpserver/filter
 
/home/niklas/workspaces/apache/ftpserver/core/src/main/java/org/apache/ftpserver/filter/FtpLoggingFilter.java
 
/home/niklas/workspaces/apache/ftpserver/core/src/main/java/org/apache/ftpserver/listener/mina/MinaListener.java
    Sending        
/home/niklas/workspaces/apache/ftpserver/core/src/main/java/org/apache/ftpserver/filesystem/NativeFileSystemManager.java
    Adding         
/home/niklas/workspaces/apache/ftpserver/core/src/main/java/org/apache/ftpserver/filter
    Adding         
/home/niklas/workspaces/apache/ftpserver/core/src/main/java/org/apache/ftpserver/filter/FtpLoggingFilter.java
    Sending        
/home/niklas/workspaces/apache/ftpserver/core/src/main/java/org/apache/ftpserver/listener/mina/MinaListener.java
    Transmitting file data ...
    Committed revision 645286.

> FtpServer should not log passwords in clear text.
> -------------------------------------------------
>
>                 Key: FTPSERVER-120
>                 URL: https://issues.apache.org/jira/browse/FTPSERVER-120
>             Project: FtpServer
>          Issue Type: Bug
>            Reporter: Daniel Abramovich
>            Assignee: Niklas Gustavsson
>            Priority: Minor
>             Fix For: 1.0-M2
>
>
> Those log statements are logged by the MINA logging filter and there's
> not much we can do about that one (expect for not including in the
> default setup). We could roll our own logging filter that takes out
> the password. Please file a JIRA ticket and I'll take care of it.
> /niklas
> > Hi,
> >
> >
> >
> >  I'd like to make a suggestion that passwords not be logged in clear
> >  text. For example:
> >
> >
> >
> >  Thu Mar 27 2008 00:06:08,762 EDT INFO
> >  org.apache.ftpserver.listener.mina.MinaFtpProtocolHandler -
> >  [/10.6.20.226:63995] RECEIVED: PASS admin
> >
> >
> >
> >  We find the protocol logging to be useful, but logging of passwords will
> >  make security folks unhappy. Perhaps, it could just log ******* or
> >  somesuch?
> >

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to