Feature #139
Remove printStackTrace calls
| Status: | Closed | Start: | 24/01/2012 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assigned to: |  Raphael Ouazana |
% Done: | 100% |
|
| Category: | WUI | Spent time: | - | |
| Target version: | 2.0 |
Description
A security audit recommends to avoid this kind of code:
e.printStackTrace();
We must use the logger API and never directly the printStackTrace method.
For example, this was found in the following files:- \src\main\java\org\linagora\linidcm\tap5\components\entry\Associate.java
- \src\main\java\org\linagora\linidcm\tap5\components\layout\Actionbar.java
Associated revisions
Some cleaning + Fix #139
History
Updated by Raphael Ouazana 4 months ago
Is this linked to this PDF: http://www.infosecwriters.com/text_resources/pdf/Code_Review_KMaraju.pdf ?
It seems the reason is "printStackTrace () method reveals the application details and technology usage". I don't think it can apply to free software.
Anyway a quick fix would be to let the method throw the exceptions.
Updated by Clément OUDOT 4 months ago
I think the goal is to be able to adjust the log output by logger configuration. If you configure no output, an attacker could not get any information in log files.
Updated by Raphael Ouazana 4 months ago
- Status changed from New to Closed
- Assigned to set to Raphael Ouazana
- Target version changed from Not planned to 2.0
- % Done changed from 0 to 100
Fixed in r222.