VFS ant tasks reveal passwords
------------------------------
Key: VFS-277
URL: https://issues.apache.org/jira/browse/VFS-277
Project: Commons VFS
Issue Type: Bug
Affects Versions: 2.0
Environment: Solaris 10; Ant 1.7.1; commons-vfs-SNAPSHOT-2.0 (revision
537717)
Reporter: Horst Beham
1) AbstractSyncTask.java uses MessageFormat to create log messages, which goes
back to FileObject.toString(), which returns name.getURI() containing the
password.
A fix for that was suggested in VFS-169 (and others) to modify
AbstractFileObject.toString() to use "name.getFriendlyURI()", but it wasn't
implemented in order to keep the API compatible.
2) DeleteTask.java concatenates the string representation of the source
directory's URL in the the line:
log("Deleting " + filesList + " in the directory " + srcDirUrl)
To fix this I replaced the block inside the "if" with:
final FileObject srcDir = resolveFile(dir);
log("Deleting " + filesList + " in the directory " +
srcDir.getName().getFriendlyURI());
StringTokenizer tok = new StringTokenizer(filesList, ",
\t\n\r\f", false);
while (tok.hasMoreTokens())
{
String nextFile = tok.nextToken();
final FileObject srcFile = srcDir.resolveFile(nextFile);
srcFile.delete(Selectors.SELECT_ALL);
}
There might me more VFS ant tasks leaking passwords which I haven't looked at
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
