[
https://issues.apache.org/jira/browse/VFS-277?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Horst Beham updated VFS-277:
----------------------------
Description:
1) Password leaking through FileObject.toString()
- AbstractSyncTask.java and MkdirTask.java use MessageFormat to create log
messages, which goes back to FileObject.toString() and returns "name.getURI()"
containing the password.
final String message =
Messages.getString("vfs.tasks/mkdir.create-folder.info", dir);
log(message);
- MoveTask.java and SyncTask.java use string concatenation with a FileObject,
also going back to toString():
log("Deleting " + srcFile);
A fix for that was suggested in VFS-169 (and others) to modify
AbstractFileObject.toString() to use "name.getFriendlyURI()", but it wasn't
implemented in order to keep the API compatible. For our project I was able to
change the toString() implementation.
To keep the API working all calls to Messages.getString(...) that pass in
FileObject's should then rather pass in fileObject.getName().getFriendlyURI().
2) String concatenation with URI strings
DeleteTask.java concatenates the string representation of the source
directory's URL in the the line:
log("Deleting " + filesList + " in the directory " + srcDirUrl)
To fix this I replaced the block inside the "if" with:
final FileObject srcDir = resolveFile(dir);
log("Deleting " + filesList + " in the directory " +
srcDir.getName().getFriendlyURI());
StringTokenizer tok = new StringTokenizer(filesList, ",
\t\n\r\f", false);
while (tok.hasMoreTokens())
{
String nextFile = tok.nextToken();
final FileObject srcFile = srcDir.resolveFile(nextFile);
srcFile.delete(Selectors.SELECT_ALL);
}
3) Explicit logging of the password URI
ShowFileTask.java explicitly logs the URI with the password:
log("Details of " + file.getName().getURI());
was:
1) AbstractSyncTask.java uses MessageFormat to create log messages, which goes
back to FileObject.toString(), which returns name.getURI() containing the
password.
A fix for that was suggested in VFS-169 (and others) to modify
AbstractFileObject.toString() to use "name.getFriendlyURI()", but it wasn't
implemented in order to keep the API compatible.
2) DeleteTask.java concatenates the string representation of the source
directory's URL in the the line:
log("Deleting " + filesList + " in the directory " + srcDirUrl)
To fix this I replaced the block inside the "if" with:
final FileObject srcDir = resolveFile(dir);
log("Deleting " + filesList + " in the directory " +
srcDir.getName().getFriendlyURI());
StringTokenizer tok = new StringTokenizer(filesList, ",
\t\n\r\f", false);
while (tok.hasMoreTokens())
{
String nextFile = tok.nextToken();
final FileObject srcFile = srcDir.resolveFile(nextFile);
srcFile.delete(Selectors.SELECT_ALL);
}
There might me more VFS ant tasks leaking passwords which I haven't looked at
> VFS ant tasks reveal passwords
> ------------------------------
>
> Key: VFS-277
> URL: https://issues.apache.org/jira/browse/VFS-277
> Project: Commons VFS
> Issue Type: Bug
> Affects Versions: 2.0
> Environment: Solaris 10; Ant 1.7.1; commons-vfs-SNAPSHOT-2.0
> (revision 537717)
> Reporter: Horst Beham
>
> 1) Password leaking through FileObject.toString()
> - AbstractSyncTask.java and MkdirTask.java use MessageFormat to create log
> messages, which goes back to FileObject.toString() and returns
> "name.getURI()" containing the password.
> final String message =
> Messages.getString("vfs.tasks/mkdir.create-folder.info", dir);
> log(message);
> - MoveTask.java and SyncTask.java use string concatenation with a FileObject,
> also going back to toString():
> log("Deleting " + srcFile);
> A fix for that was suggested in VFS-169 (and others) to modify
> AbstractFileObject.toString() to use "name.getFriendlyURI()", but it wasn't
> implemented in order to keep the API compatible. For our project I was able
> to change the toString() implementation.
> To keep the API working all calls to Messages.getString(...) that pass in
> FileObject's should then rather pass in fileObject.getName().getFriendlyURI().
> 2) String concatenation with URI strings
> DeleteTask.java concatenates the string representation of the source
> directory's URL in the the line:
> log("Deleting " + filesList + " in the directory " + srcDirUrl)
> To fix this I replaced the block inside the "if" with:
> final FileObject srcDir = resolveFile(dir);
> log("Deleting " + filesList + " in the directory " +
> srcDir.getName().getFriendlyURI());
> StringTokenizer tok = new StringTokenizer(filesList, ",
> \t\n\r\f", false);
> while (tok.hasMoreTokens())
> {
> String nextFile = tok.nextToken();
> final FileObject srcFile = srcDir.resolveFile(nextFile);
> srcFile.delete(Selectors.SELECT_ALL);
> }
> 3) Explicit logging of the password URI
> ShowFileTask.java explicitly logs the URI with the password:
> log("Details of " + file.getName().getURI());
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
