Hide password in exception messages of SocksAuthRequest

Related: #3504

Motivation:

There are two places in the SocksAuthRequest constructor where an
IllegalArgumentException is thrown with a password as part of the
exception message.

This constitutes mishandling of confidential information, which can
compromise user privacy and is flagged as critical by security scanners.

Modifications:

Mask the password in the exception messages

Result:

No unexpected password leak
This commit is contained in:
Trustin Lee 2015-03-17 17:23:30 +09:00
parent a97e413a65
commit 1d061bbb27

View File

@ -41,14 +41,14 @@ public final class SocksAuthRequest extends SocksRequest {
throw new NullPointerException("username"); throw new NullPointerException("username");
} }
if (!asciiEncoder.canEncode(username) || !asciiEncoder.canEncode(password)) { if (!asciiEncoder.canEncode(username) || !asciiEncoder.canEncode(password)) {
throw new IllegalArgumentException(" username: " + username + " or password: " + password + throw new IllegalArgumentException(
" values should be in pure ascii"); "username: " + username + " or password: **** values should be in pure ascii");
} }
if (username.length() > 255) { if (username.length() > 255) {
throw new IllegalArgumentException(username + " exceeds 255 char limit"); throw new IllegalArgumentException("username: " + username + " exceeds 255 char limit");
} }
if (password.length() > 255) { if (password.length() > 255) {
throw new IllegalArgumentException(password + " exceeds 255 char limit"); throw new IllegalArgumentException("password: **** exceeds 255 char limit");
} }
this.username = username; this.username = username;
this.password = password; this.password = password;