Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 335695

Summary: [server] password revealed in logs when provided in GitFileStore url
Product: [ECD] Orion Reporter: Tomasz Zarna <tomasz.zarna>
Component: ClientAssignee: Tomasz Zarna <tomasz.zarna>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: P3    
Version: 0.2   
Target Milestone: 0.2   
Hardware: PC   
OS: Windows XP   
Whiteboard:
Attachments:
Description Flags
Fix v01
none
mylyn/context/zip none

Description Tomasz Zarna CLA 2011-01-28 10:25:12 EST 
When linking a project to a git repository you can provide a url like this: ssh://[user[:password]@]host.xz[:port]/path/to/repo.git/ . You won't be asked to give your password when working with the repo because it's already known, the problem is that it will be also known to anyone who can read the logs:

!ENTRY org.eclipse.orion.server.filesystem.git 1 1 2011-01-28 16:23:42.187
!MESSAGE Cloned gitfs:/ssh:%5C%5Ctzarna:secret@localhost%5Cgit%5Ctest.git?%5C to D:\workspace\eclipse\junit-workspace\PRIVATE_REPO\test\ssh\localhost\git\test.git
Comment 1 Tomasz Zarna CLA 2011-02-09 07:23:44 EST 
In org.eclipse.orion.server.filesystem.git.GitFileStore.toURI() we should use URIish.toString() which hides a password in opposite to URIish.toPrivateString().
Comment 2 Tomasz Zarna CLA 2011-02-09 07:27:13 EST 
Created attachment 188581 [details]
Fix v01
Comment 3 Tomasz Zarna CLA 2011-02-09 07:27:16 EST 
Created attachment 188582 [details]
mylyn/context/zip
Comment 4 Tomasz Zarna CLA 2011-02-09 07:49:41 EST 
Fixed with a860745d613c5acbb957a31444fe6c3cea42d534.