[jcifs] SMBException prints passwords
Rolf Breuning
Rolf.Breuning at t-online.de
Sun Jun 27 16:28:44 GMT 2004
Hello,
while using jcifs, I often use the smb://... smb file format including
the password.
This, however, currently has the disadvantage, that any Exception will
write user name and password using the SmbFile.toString() method, even
into tomcat log files.
I thus propose to change either the toString() method of SmbFile or at
least the respective method of SmbException in such a way, that it does
not return the password, but something like a "....".
I would prefer to change SmbFile.toString() as I assume this method is
also often used in places where it is not quite clear to the programmer
that this may reveal a user - password combination; the existing
toString method could be renamed to some other name like
toFullUserPwdPath().
The following code may not be 100% solution but it gives an idea
static final Pattern pwdPattern = Pattern.compile(
"/|(:[^(/@)]*@)" );
/** Return a string representing the receiver path in the form
smb://.... ; suppress password
* @return
*/
public String toString() {
String path = smbFile.getCanonicalPath().substring( 6 ); //
remove smb:// from path
Matcher m = pwdPattern.matcher( path );
if ( m.find() && path.charAt( m.start() ) == ':' ) path =
m.replaceFirst( ":...@" );
return "smb://" + path;
}
Kind regards
Rolf
More information about the jcifs
mailing list