Keith Wall created QPID-6506:
--------------------------------
Summary: PropertiesFileInitialContextFactory pollutes system
properties with values that may contain passwords
Key: QPID-6506
URL: https://issues.apache.org/jira/browse/QPID-6506
Project: Qpid
Issue Type: Bug
Components: 0.8, 0.32
Reporter: Keith Wall
Priority: Minor
The current implementation of PropertiesFileInitialContextFactory sets each
property key encountered in the properties file as a system property (providing
a system property with the same name does not already exist).
It is not uncommon for applications or frameworks to log all system properties
to aid diagnostics. If such an application were to include the Qpid client,
such logging may include connection urls and thus may include passwords in the
clear too.
It seems difficult to justify why the PropertiesFileInitialContextFactory
should behave in this way. To me, it does not obviously support a end user
use-case. The commit comment goes back six years and seems to include a change
made to help testing.
Change PropertiesFileInitialContextFactory so that it no longer alters the
system properties.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
