[
https://issues.apache.org/jira/browse/NET-557?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14232432#comment-14232432
]
Sebb commented on NET-557:
--------------------------
The user name on its own is not sufficient to login.
The fact that FTP servers respond with the user name suggests that it really
does not need to be redacted in most cases.
So how much of a security risk is it?
I'm not sure that this is worth the effort.
If you don't want the login sequence to be captured, then don't use a command
listener, or add it after login.
Or write your own.
> FTPClient Login suppression inconsistent
> ----------------------------------------
>
> Key: NET-557
> URL: https://issues.apache.org/jira/browse/NET-557
> Project: Commons Net
> Issue Type: Bug
> Components: FTP
> Affects Versions: 3.3
> Environment: Window 7, Java 7
> Reporter: Phil Dicke
> Priority: Minor
>
> The following code prints out the user name in one instance and masks it in
> the other. The password is masked in both cases. I would prefer the user
> name to be masked in both cases as well.
> {code}
> FTPClient client = new FTPClient();
> client.addProtocolCommandListener(new PrintCommandListener(System.out, true));
> client.connect(host);
> client.login(user, pass);
> {code}
> Output (Notice the user name is printed on the response)
> {code}
> 220 Microsoft FTP Service
> USER *******
> 331 Password required for ftpTest.
> PASS *******
> 230 User ftpTest logged in.
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
