From: SourceForge.net <no...@so...> - 2010-03-30 03:43:54
|
Bugs item #2979048, was opened at 2010-03-29 20:43 Message generated for change (Tracker Item Submitted) made by jpowell_vmw You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=712784&aid=2979048&group_id=128809 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: sfcb Group: Security Status: Open Resolution: None Priority: 5 Private: No Submitted By: John Powell (jpowell_vmw) Assigned to: Chris Buccella (buccella) Summary: Check credential info for indication handler Initial Comment: CIM_IndicationHandlerCIMXML class ship Destination property for listener address, it is a URL string. Before sfcbd didn't check if it is in the format of http(s)://USER:PASSWORD@ADDRESS:PORT/, if this kind of URL coming, special like root:CENSORED@localhost, any read access user can see the CENSORED information. Fix it that when create CIM_IndicationHandlerCIMXML instance, judge the string of URL, reject if it contain any password information. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=712784&aid=2979048&group_id=128809 |