From d90a2d39626938e8291b536902fb3e520e1284fe Mon Sep 17 00:00:00 2001 From: Anshul Gangwar Date: Tue, 19 Aug 2014 14:17:21 +0530 Subject: [PATCH] CLOUDSTACK-7370: Fixed password visible in plain text if password passed is in the end in url --- utils/src/com/cloud/utils/StringUtils.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/utils/src/com/cloud/utils/StringUtils.java b/utils/src/com/cloud/utils/StringUtils.java index 17b8fc00573..7014e5c8d1d 100644 --- a/utils/src/com/cloud/utils/StringUtils.java +++ b/utils/src/com/cloud/utils/StringUtils.java @@ -159,7 +159,9 @@ public class StringUtils { } // removes a password request param and it's value, also considering password is in query parameter value which has been url encoded - private static final Pattern REGEX_PASSWORD_QUERYSTRING = Pattern.compile("(&|%26)?((p|P)assword|accesskey|secretkey)(=|%3D).*?(?=(%26|[&'\"]))"); + private static final Pattern REGEX_PASSWORD_QUERYSTRING = Pattern.compile("(&|%26)?[^(&|%26)]*((p|P)assword|accesskey|secretkey)(=|%3D).*?(?=(%26|[&'\"]))"); + + private static final Pattern REGEX_END_PASSWORD_QUERYSTRING = Pattern.compile("(&|%26)[^(&|%26)]*((p|P)assword|accesskey|secretkey)(=|%3D).*"); // removes a password/accesskey/ property from a response json object private static final Pattern REGEX_PASSWORD_JSON = Pattern.compile("\"((p|P)assword|accesskey|secretkey)\":\\s?\".*?\",?"); @@ -175,6 +177,7 @@ public class StringUtils { String cleanResult = ""; if (stringToClean != null) { cleanResult = REGEX_PASSWORD_QUERYSTRING.matcher(stringToClean).replaceAll(""); + cleanResult = REGEX_END_PASSWORD_QUERYSTRING.matcher(cleanResult).replaceAll(""); cleanResult = REGEX_PASSWORD_JSON.matcher(cleanResult).replaceAll(""); Matcher detailsMatcher = REGEX_PASSWORD_DETAILS.matcher(cleanResult); while (detailsMatcher.find()) {