zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Han (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (ZOOKEEPER-2405) getTGT() in Login.java mishandles confidential information
Date Tue, 03 May 2016 20:01:12 GMT

     [ https://issues.apache.org/jira/browse/ZOOKEEPER-2405?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Michael Han updated ZOOKEEPER-2405:
-----------------------------------
    Attachment: ZOOKEEPER-2405.patch

Update patch to satisfy FindBug, which has a valid catch of a redundant null check. Add the
null check at the beginning of loop and warn if null ticket is found, as nothing would prevent
the implementation of the credential provider to add a null element in the set, even though
it rarely happens in practice, so it seems to me a good check to add. 

> getTGT() in Login.java mishandles confidential information
> ----------------------------------------------------------
>
>                 Key: ZOOKEEPER-2405
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2405
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: kerberos, security, server
>    Affects Versions: 3.4.8, 3.5.1, 3.6.0
>            Reporter: Patrick Hunt
>            Assignee: Michael Han
>            Priority: Blocker
>             Fix For: 3.4.9, 3.5.2, 3.6.0
>
>         Attachments: ZOOKEEPER-2405.patch, ZOOKEEPER-2405.patch
>
>
> We're logging the kerberos ticket when in debug mode, probably not the best idea. This
was identified as a "critical" issue by Fortify.
> {noformat}
>         for(KerberosTicket ticket: tickets) {
>             KerberosPrincipal server = ticket.getServer();
>             if (server.getName().equals("krbtgt/" + server.getRealm() + "@" + server.getRealm()))
{
>                 LOG.debug("Found tgt " + ticket + ".");
>                 return ticket;
>             }
>         }
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message