qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (QPID-6506) PropertiesFileInitialContextFactory pollutes system properties with values that may contain passwords
Date Fri, 24 Apr 2015 13:36:39 GMT

    [ https://issues.apache.org/jira/browse/QPID-6506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14511050#comment-14511050
] 

ASF subversion and git services commented on QPID-6506:
-------------------------------------------------------

Commit 1675856 from [~k-wall] in branch 'java/trunk'
[ https://svn.apache.org/r1675856 ]

QPID-6506, QPID-6508: [Java Client] PropertiesFileInitialContextFactory no longer swallows
exceptions, pollutes the system properties, nor modifies the environment.

IOExceptions and URISyntaxExceptions that were previously swallowed are now chained to a NamingException.
If the environment needs to be modified within the method a copy is created.
System properties are no longer set.

work done by Lorenz Quack <quack.lorenz@gmail.com> and Keith Wall <kwall@apache.org>

> PropertiesFileInitialContextFactory pollutes system properties with values that may contain
passwords
> -----------------------------------------------------------------------------------------------------
>
>                 Key: QPID-6506
>                 URL: https://issues.apache.org/jira/browse/QPID-6506
>             Project: Qpid
>          Issue Type: Bug
>          Components: Java Client
>    Affects Versions: 0.8, 0.32
>            Reporter: Keith Wall
>            Priority: Minor
>
> The current implementation of PropertiesFileInitialContextFactory sets each property
key encountered in the properties file as a system property (providing a system property with
the same name does not already exist).
>  It is not uncommon for applications or frameworks to log all system properties to aid
diagnostics.  If such an application were to include the Qpid client, such logging may include
connection urls and thus may include passwords in the clear too.
> It seems difficult to justify why the PropertiesFileInitialContextFactory should behave
in this way.  To me, it does not obviously support a end user use-case.  The commit comment
goes back six years and seems to include a change made to help testing.
> Change PropertiesFileInitialContextFactory so that it no longer alters the system properties.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org


Mime
View raw message