Modify ↓
Opened 20 months ago
Closed 19 months ago
#22846 closed enhancement (fixed)
[patch] Anonymize VM arguments in status reports
| Reported by: | gaben | Owned by: | team |
|---|---|---|---|
| Priority: | normal | Milestone: | 23.04 |
| Component: | Core | Version: | |
| Keywords: | information disclosure | Cc: |
Description
A JOSM instance in debugging can have special VM arguments which can contain sensitive information, like the user home dir. If someone creates bug report int that state, the VM arguments become visible.
See for example one of my previous report #22845, where I manually changed the -javaagent param to hide the username.
-
src/org/openstreetmap/josm/actions/ShowStatusReportAction.java
159 159 text.format("WebStart package: %s%n", webStartDetails); 160 160 } 161 161 } 162 // Add Gnome A tkwrapper details if found162 // Add Gnome ATK wrapper details if found 163 163 String atkWrapperDetails = platform.getAtkWrapperPackageDetails(); 164 164 if (atkWrapperDetails != null) { 165 165 text.format("Java ATK Wrapper package: %s%n", atkWrapperDetails); 166 166 } 167 // Add dependenc iesdetails if found167 // Add dependency details if found 168 168 for (String p : new String[] { 169 169 "apache-commons-compress", "libcommons-compress-java", 170 170 "apache-commons-jcs-core", … … 207 207 } 208 208 } 209 209 if (!vmArguments.isEmpty()) { 210 text.format("VM arguments: %s%n", vmArguments.toString().replace("\\\\", "\\"));210 text.format("VM arguments: %s%n", paramCleanup(vmArguments).toString().replace("\\\\", "\\")); 211 211 } 212 212 } catch (SecurityException e) { 213 213 Logging.trace(e); … … 280 280 } 281 281 282 282 /** 283 * Shortens and removes private information sfrom a parameter used for status report.283 * Shortens and removes private information from a parameter used for status report. 284 284 * @param param parameter to cleanup 285 285 * @return shortened/anonymized parameter 286 286 */
Attachments (0)
Note:
See TracTickets
for help on using tickets.
Maybe it fits in the March release :)