WebRequest.toString includes passwords

Java GUI-Less browser, supporting JavaScript, to run against web pages

Brought to you by: asashour, bradclarke, mbowler, mguillem, and 2 others

#1225 WebRequest.toString includes passwords

Status: closed

Owner: Marc Guillemot

Labels: None

Priority: 5

Updated: 2012-10-21

Created: 2010-12-04

Creator: Alexander Lehmann

Private: No

When using toString() on a form WebRequest object, the list of parameters contains the password fields, I would prefer if the passwords were *-ed out so that passwords do not end up in the logfiles

(I have used perl and lwp before and that has implemented this behaviour)

I can try to implement a patch if you like.

Discussion

Ahmed Ashour - 2010-12-04

Can you provide a test case?

The below doesn't write the password:

WebRequest requets = new WebRequest(new URL("http://www.sf.net")); DefaultCredentialsProvider p = new DefaultCredentialsProvider(); p.addCredentials("uuu", "ppp"); requets.setCredentialsProvider(p); System.out.println(requets);
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Alexander Lehmann - 2010-12-04

No, I meant when you have a password field in a form, it is printed, please see the attached example

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Alexander Lehmann - 2010-12-04

form example

FormTest.java

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Ahmed Ashour - 2010-12-04

That's tricky, because it depends on the 'previous' page, to get the <input type="password"> fields, and prevent them from being reported in the request parameter.

Feel free to provide a patch

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Alexander Lehmann - 2010-12-04

I assume that the form object as well as the name/value object needs a private flag, I'll try to write something if I have some time over the weekend.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Marc Guillemot - 2010-12-06

Why do you want to avoid passwords in WebRequest.toString? What about just avoiding to print WebRequest.toString in your log?
If passwords are sensitive for you, WebRequest.toString is not the only place where they may be displayed. The HTTP log (if activated) for instance contains all the information sent to the server... including passwords.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Alexander Lehmann - 2010-12-07

I will write a specific log entry for WebRequest, however I would think the default behavior should be secure unless you want to do something else.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Marc Guillemot - 2010-12-08

If this kind of security matters for you, then your code is unsecure:
System.out.println("Request: "+request.toString());

The JavaDoc of WebRequest.toString says: "Returns a string representation of this object" what is not very precise (what is fine for debugging). Therefore you shouldn't use it if you want to control what gets logged on the console.

I'm against removing password fields from WebRequest.toString. This is useful for debugging and this would not be the solution to security problems.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.