[
https://issues.apache.org/jira/browse/CMIS-940?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Florian Müller resolved CMIS-940.
---------------------------------
Resolution: Won't Fix
Not fixable. Java APIs such as HttpURLConnection.addRequestProperty() force us
to use Strings.
> Heap Inspection could reveal passwords
> --------------------------------------
>
> Key: CMIS-940
> URL: https://issues.apache.org/jira/browse/CMIS-940
> Project: Chemistry
> Issue Type: Bug
> Components: opencmis-client
> Affects Versions: OpenCMIS 0.13.0
> Reporter: Donald Kwakkel
>
> Sensitive data (such as passwords, social security numbers, credit card
> numbers etc) stored in memory can be leaked if memory is not cleared after
> use. Often, Strings are used store sensitive data, however, since String
> objects are immutable, removing the value of a String from memory can only be
> done by the JVM garbage collector. The garbage collector is not required to
> run unless the JVM is low on memory, so there is no guarantee as to when
> garbage collection will take place. In the event of an application crash, a
> memory dump of the application might reveal sensitive data.
> src/main/java/org/apache/chemistry/opencmis/workbench/model/ClientSession.java:
> public static SessionParameterMap createSessionParameters(String url,
> BindingType binding, String username,
> String password, Authentication authentication, boolean
> compression, boolean clientCompression,
> boolean cookies) {
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
