commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Phil Dicke (JIRA)" <>
Subject [jira] [Commented] (NET-557) FTPClient Login suppression inconsistent
Date Wed, 03 Dec 2014 01:06:12 GMT


Phil Dicke commented on NET-557:

I had thought of that, as well, but is the goal here to error on the side of secure or not?
 I would have thought that if I tell the software to mask the user name that it should do
the user at that point is being security councious and the software should error on that side.

>From a system perspective these messages are typically logged into some log file and then
those log files are backed up.  Anyone with access to the logs or back-up logs would have
access to an ftp user name.

Of course anyone who really cares about security would not be using FTP at all, but sometimes
to connect to 3rd party systems you have no choice.

> FTPClient Login suppression inconsistent
> ----------------------------------------
>                 Key: NET-557
>                 URL:
>             Project: Commons Net
>          Issue Type: Bug
>          Components: FTP
>    Affects Versions: 3.3
>         Environment: Window 7, Java 7
>            Reporter: Phil Dicke
>            Priority: Minor
> The following code prints out the user name in one instance and masks it in the other.
 The password is masked in both cases.  I would prefer the user name to be masked in both
cases as well.
> {code}
> FTPClient client = new FTPClient();
> client.addProtocolCommandListener(new PrintCommandListener(System.out, true));
> client.connect(host);
> client.login(user, pass);
> {code}
> Output (Notice the user name is printed on the response)
> {code}
> 220 Microsoft FTP Service
> USER *******
> 331 Password required for ftpTest.
> PASS *******
> 230 User ftpTest logged in.
> {code}

This message was sent by Atlassian JIRA

View raw message