[
https://issues.apache.org/jira/browse/NET-557?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14232417#comment-14232417
]
Phil Dicke edited comment on NET-557 at 12/3/14 1:06 AM:
---------------------------------------------------------
I had thought of that, as well, but is the goal here to error on the side of
secure or not? I would have thought that if I tell the software to mask the
user name that it should do that because the I am that point being security
councious and the software should error on that side.
>From a system perspective these messages are typically logged into some log
>file and then those log files are backed up. Anyone with access to the logs
>or back-up logs would have access to an ftp user name.
Of course anyone who really cares about security would not be using FTP at all,
but sometimes to connect to 3rd party systems you have no choice.
was (Author: philci52):
I had thought of that, as well, but is the goal here to error on the side of
secure or not? I would have thought that if I tell the software to mask the
user name that it should do the user at that point is being security councious
and the software should error on that side.
>From a system perspective these messages are typically logged into some log
>file and then those log files are backed up. Anyone with access to the logs
>or back-up logs would have access to an ftp user name.
Of course anyone who really cares about security would not be using FTP at all,
but sometimes to connect to 3rd party systems you have no choice.
> FTPClient Login suppression inconsistent
> ----------------------------------------
>
> Key: NET-557
> URL: https://issues.apache.org/jira/browse/NET-557
> Project: Commons Net
> Issue Type: Bug
> Components: FTP
> Affects Versions: 3.3
> Environment: Window 7, Java 7
> Reporter: Phil Dicke
> Priority: Minor
>
> The following code prints out the user name in one instance and masks it in
> the other. The password is masked in both cases. I would prefer the user
> name to be masked in both cases as well.
> {code}
> FTPClient client = new FTPClient();
> client.addProtocolCommandListener(new PrintCommandListener(System.out, true));
> client.connect(host);
> client.login(user, pass);
> {code}
> Output (Notice the user name is printed on the response)
> {code}
> 220 Microsoft FTP Service
> USER *******
> 331 Password required for ftpTest.
> PASS *******
> 230 User ftpTest logged in.
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
