[
https://issues.apache.org/jira/browse/VFS-169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12619478#action_12619478
]
James Carman commented on VFS-169:
----------------------------------
"I hope you fix this soon"
That's the beauty of open source software; you can help fix this! Attaching a
patch (including test cases) would be a good way to help get this thing fixed.
It seems like you've already got a good idea about how it should be done.
> Thrown exception reveals passwords
> ----------------------------------
>
> Key: VFS-169
> URL: https://issues.apache.org/jira/browse/VFS-169
> Project: Commons VFS
> Issue Type: Bug
> Affects Versions: 1.0
> Reporter: Joerg Schaible
>
> If an exception occurs accessing a FileObject on a FileSystem that is
> addressed with an URL containing user and password the thrown exception
> contains the password as part of the error message:
> org.apache.commons.vfs.FileSystemException: Could not connect to SFTP server
> at "sftp://user:[EMAIL PROTECTED]/".
> In such a case the URL should be printed as "sftp://user:[EMAIL PROTECTED]/".
> Same applied to log messages - at least for INFO and higher.
> This is a security risk, since in big companies exceptions and logs are
> normally collected and archived in monitoring systems and may reveal the
> password to persons that have normally no authorization to the target system.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
