Donald Kwakkel created CMIS-940:
-----------------------------------
Summary: Heap Inspection could reveal passwords
Key: CMIS-940
URL: https://issues.apache.org/jira/browse/CMIS-940
Project: Chemistry
Issue Type: Bug
Components: opencmis-client
Affects Versions: OpenCMIS 0.13.0
Reporter: Donald Kwakkel
Sensitive data (such as passwords, social security numbers, credit card numbers
etc) stored in memory can be leaked if memory is not cleared after use. Often,
Strings are used store sensitive data, however, since String objects are
immutable, removing the value of a String from memory can only be done by the
JVM garbage collector. The garbage collector is not required to run unless the
JVM is low on memory, so there is no guarantee as to when garbage collection
will take place. In the event of an application crash, a memory dump of the
application might reveal sensitive data.
src/main/java/org/apache/chemistry/opencmis/workbench/model/ClientSession.java:
public static SessionParameterMap createSessionParameters(String url,
BindingType binding, String username,
String password, Authentication authentication, boolean
compression, boolean clientCompression,
boolean cookies) {
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
