andreacavalli/netty5
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Hide password in exception messages of SocksAuthRequest

Browse Source 
Related: #3504

Motivation:

There are two places in the SocksAuthRequest constructor where an
IllegalArgumentException is thrown with a password as part of the
exception message.

This constitutes mishandling of confidential information, which can
compromise user privacy and is flagged as critical by security scanners.

Modifications:

Mask the password in the exception messages

Result:

No unexpected password leak
This commit is contained in:
Trustin Lee 2015-03-17 17:21:30 +09:00
parent add0a0c9a4
commit faf1d90ae7
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/main/java/org/jboss/netty/handler/codec/socks/SocksAuthRequest.java
View File

@ -38,17 +38,17 @@ public final class SocksAuthRequest extends SocksRequest {
throw new NullPointerException("username");
}
if (password == null) {
throw new NullPointerException("username");
throw new NullPointerException("password");
}
if (!asciiEncoder.canEncode(username) || !asciiEncoder.canEncode(password)) {
throw new IllegalArgumentException(" username: " + username + " or password: " + password +
" values should be in pure ascii");
throw new IllegalArgumentException(
"username: " + username + " or password: **** values should be in pure ascii");
}
if (username.length() > 255) {
throw new IllegalArgumentException(username + " exceeds 255 char limit");
throw new IllegalArgumentException("username: " + username + " exceeds 255 char limit");
}
if (password.length() > 255) {
throw new IllegalArgumentException(password + " exceeds 255 char limit");
throw new IllegalArgumentException("password: **** exceeds 255 char limit");
}
this.username = username;
this.password = password;