Skip to content

Commit d90a2d3

Browse files
anshulgangwardevdeep
anshulgangwar
authored and
devdeep
committed
CLOUDSTACK-7370: Fixed password visible in plain text if password passed is in the end in url
1 parent fa11560 commit d90a2d3

1 file changed

Lines changed: 4 additions & 1 deletion

File tree

utils/src/com/cloud/utils/StringUtils.java

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -159,7 +159,9 @@ public static String getMaskedPasswordForDisplay(String password) {
159159
}
160160

161161
// removes a password request param and it's value, also considering password is in query parameter value which has been url encoded
162-
private static final Pattern REGEX_PASSWORD_QUERYSTRING = Pattern.compile("(&|%26)?((p|P)assword|accesskey|secretkey)(=|%3D).*?(?=(%26|[&'\"]))");
162+
private static final Pattern REGEX_PASSWORD_QUERYSTRING = Pattern.compile("(&|%26)?[^(&|%26)]*((p|P)assword|accesskey|secretkey)(=|%3D).*?(?=(%26|[&'\"]))");
163+
164+
private static final Pattern REGEX_END_PASSWORD_QUERYSTRING = Pattern.compile("(&|%26)[^(&|%26)]*((p|P)assword|accesskey|secretkey)(=|%3D).*");
163165

164166
// removes a password/accesskey/ property from a response json object
165167
private static final Pattern REGEX_PASSWORD_JSON = Pattern.compile("\"((p|P)assword|accesskey|secretkey)\":\\s?\".*?\",?");
@@ -175,6 +177,7 @@ public static String cleanString(String stringToClean) {
175177
String cleanResult = "";
176178
if (stringToClean != null) {
177179
cleanResult = REGEX_PASSWORD_QUERYSTRING.matcher(stringToClean).replaceAll("");
180+
cleanResult = REGEX_END_PASSWORD_QUERYSTRING.matcher(cleanResult).replaceAll("");
178181
cleanResult = REGEX_PASSWORD_JSON.matcher(cleanResult).replaceAll("");
179182
Matcher detailsMatcher = REGEX_PASSWORD_DETAILS.matcher(cleanResult);
180183
while (detailsMatcher.find()) {

0 commit comments

Comments
 (0)