[jcifs] SMBException prints passwords

Rolf Breuning Rolf.Breuning at t-online.de
Sun Jun 27 16:28:44 GMT 2004


while using jcifs, I often use the smb://... smb file format including 
the password.
This, however, currently has the disadvantage, that any Exception will 
write user name and password using the SmbFile.toString() method, even 
into tomcat log files.

I thus propose to change either the toString() method of SmbFile or at 
least the respective method of SmbException in such a way, that it does 
not return the password, but something like a "....".

I would prefer to change SmbFile.toString() as I assume this method is 
also often used in places where it is not quite clear to the programmer 
that this may reveal a user - password combination; the existing 
toString method could be renamed to some other name like 

The following code may not be 100% solution but it gives an idea

        static final Pattern pwdPattern = Pattern.compile( 
"/|(:[^(/@)]*@)" );

        /** Return a string representing the receiver path in the form 
smb://.... ; suppress password
         * @return
        public String toString() {
            String path = smbFile.getCanonicalPath().substring( 6 ); // 
remove smb:// from path
            Matcher m = pwdPattern.matcher( path );
            if ( m.find() && path.charAt( m.start() ) == ':' ) path = 
m.replaceFirst( ":...@" );
            return "smb://" + path;

Kind regards


More information about the jcifs mailing list