[jira] Updated: (VFS-277) VFS ant tasks reveal passwords

Mon, 17 Aug 2009 11:54:40 -0700 

     [ 
https://issues.apache.org/jira/browse/VFS-277?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Horst Beham updated VFS-277:
----------------------------

    Attachment: vfs-test.xml

ant script that tests whether the log output contains passwords.
requires ant-contrib.jar and ant 1.7.x

> VFS ant tasks reveal passwords
> ------------------------------
>
>                 Key: VFS-277
>                 URL: https://issues.apache.org/jira/browse/VFS-277
>             Project: Commons VFS
>          Issue Type: Bug
>    Affects Versions: 2.0
>         Environment: Solaris 10; Ant 1.7.1; commons-vfs-SNAPSHOT-2.0 
> (revision 537717)
>            Reporter: Horst Beham
>         Attachments: ant-password-leak.diff, vfs-test.xml
>
>
> 1) Password leaking through FileObject.toString()
> - AbstractSyncTask.java and MkdirTask.java use MessageFormat to create log 
> messages, which goes back to FileObject.toString() and returns 
> "name.getURI()" containing the password.
>             final String message = 
> Messages.getString("vfs.tasks/mkdir.create-folder.info", dir);
>             log(message);
> - MoveTask.java and SyncTask.java use string concatenation with a FileObject, 
> also going back to toString():
>             log("Deleting " + srcFile);
> A fix for that was suggested in VFS-169 (and others) to modify 
> AbstractFileObject.toString() to use "name.getFriendlyURI()", but it wasn't 
> implemented in order to keep the API compatible. For our project I was able 
> to change the toString() implementation.
> To keep the API working all calls to Messages.getString(...) that pass in 
> FileObject's should then rather pass in fileObject.getName().getFriendlyURI().
> 2) String concatenation with URI strings
> DeleteTask.java concatenates the string representation of the source 
> directory's URL in the the line:
> log("Deleting " + filesList + " in the directory " + srcDirUrl)
> To fix this I replaced the block inside the "if" with:
>                 final FileObject srcDir = resolveFile(srcDirUrl);
>                 log("Deleting " + filesList + " in the directory " + 
> srcDir.getName().getFriendlyURI());
>                 StringTokenizer tok = new StringTokenizer(filesList, ", 
> \t\n\r\f", false);
>                 while (tok.hasMoreTokens())
>                 {
>                     String nextFile = tok.nextToken();
>                     final FileObject srcFile = srcDir.resolveFile(nextFile);
>                     srcFile.delete(Selectors.SELECT_ALL);
>                 }
> 3) Explicit logging of the password URI
> ShowFileTask.java explicitly logs the URI with the password:
>             log("Details of " + file.getName().getURI());

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to