SEC-1867: Unsafe authentication.getCredentials.toString() especially when credentials is now null by default since 3.0 #2099

Closed
spring-issuemaster opened this Issue Dec 14, 2011 · 1 comment

2 participants

@spring-issuemaster

Mark Liu (Migrated from SEC-1867) said:

Line 69 of ContextPropagatingRemoteInvocation:
if (currentUser != null) {
principal = currentUser.getName();
credentials = currentUser.getCredentials().toString(); <<<
}

if credentials is null, which by is by default per SEC-1493, the whole thing blows up. Blowing up is fine, fast fail and all, but maybe a message or something. Thanks.

@spring-issuemaster

Rob Winch said:

I have pushed a fix into master.

I am a bit hesitent to fail fast as we do not know if a null password is acceptable (perhaps the principal is all that is used for authentication). Therefore I updated the code to perform a null check prior to calling the toString on it. If the credential is null, a debug statement is logged stating as such.

@spring-issuemaster spring-issuemaster added this to the 3.1.1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment