335695 – [server] password revealed in logs when provided in GitFileStore url

Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 335695 - [server] password revealed in logs when provided in GitFileStore url

Summary: [server] password revealed in logs when provided in GitFileStore url

Status:	RESOLVED FIXED

Alias:	None

Product:	Orion
Classification:	ECD
Component:	Client (show other bugs)
Version:	0.2
Hardware:	PC Windows XP

Importance:	P3 normal (vote)
Target Milestone:	0.2
Assignee:	Tomasz Zarna
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-01-28 10:25 EST by Tomasz Zarna
Modified:	2011-09-01 11:42 EDT (History)
CC List:	0 users

See Also:

Attachments
Fix v01 (16.83 KB, patch) 2011-02-09 07:27 EST, Tomasz Zarna	no flags	Details \| Diff
mylyn/context/zip (17.46 KB, application/octet-stream) 2011-02-09 07:27 EST, Tomasz Zarna	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tomasz Zarna

2011-01-28 10:25:12 EST

When linking a project to a git repository you can provide a url like this: ssh://[user[:password]@]host.xz[:port]/path/to/repo.git/ . You won't be asked to give your password when working with the repo because it's already known, the problem is that it will be also known to anyone who can read the logs:

!ENTRY org.eclipse.orion.server.filesystem.git 1 1 2011-01-28 16:23:42.187
!MESSAGE Cloned gitfs:/ssh:%5C%5Ctzarna:secret@localhost%5Cgit%5Ctest.git?%5C to D:\workspace\eclipse\junit-workspace\PRIVATE_REPO\test\ssh\localhost\git\test.git

Comment 1 Tomasz Zarna

2011-02-09 07:23:44 EST

In org.eclipse.orion.server.filesystem.git.GitFileStore.toURI() we should use URIish.toString() which hides a password in opposite to URIish.toPrivateString().

Comment 2 Tomasz Zarna

2011-02-09 07:27:13 EST

Created attachment 188581 [details]
Fix v01

Comment 3 Tomasz Zarna

2011-02-09 07:27:16 EST

Created attachment 188582 [details]
mylyn/context/zip

Comment 4 Tomasz Zarna

2011-02-09 07:49:41 EST

Fixed with a860745d613c5acbb957a31444fe6c3cea42d534.