Hide password in exception messages of SocksAuthRequest

Related: #3504

Motivation:

There are two places in the SocksAuthRequest constructor where an
IllegalArgumentException is thrown with a password as part of the
exception message.

This constitutes mishandling of confidential information, which can
compromise user privacy and is flagged as critical by security scanners.

Modifications:

Mask the password in the exception messages

Result:

No unexpected password leak
This commit is contained in:
Trustin Lee 2015-03-17 17:23:30 +09:00
parent 034e0bd8d2
commit 9091e66e15

View File

@ -41,14 +41,14 @@ public final class SocksAuthRequest extends SocksRequest {
throw new NullPointerException("username");
}
if (!asciiEncoder.canEncode(username) || !asciiEncoder.canEncode(password)) {
throw new IllegalArgumentException(" username: " + username + " or password: " + password +
" values should be in pure ascii");
throw new IllegalArgumentException(
"username: " + username + " or password: **** values should be in pure ascii");
}
if (username.length() > 255) {
throw new IllegalArgumentException(username + " exceeds 255 char limit");
throw new IllegalArgumentException("username: " + username + " exceeds 255 char limit");
}
if (password.length() > 255) {
throw new IllegalArgumentException(password + " exceeds 255 char limit");
throw new IllegalArgumentException("password: **** exceeds 255 char limit");
}
this.username = username;
this.password = password;