zookeeper-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "xiaoqin.fu (JIRA)" <j...@apache.org>
Subject [jira] [Created] (ZOOKEEPER-3489) Possible information leakage to log without LOG configuration control LOG.isWarnEnabled()
Date Fri, 02 Aug 2019 11:11:00 GMT
xiaoqin.fu created ZOOKEEPER-3489:
-------------------------------------

             Summary: Possible information leakage to log without LOG configuration control
LOG.isWarnEnabled()
                 Key: ZOOKEEPER-3489
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3489
             Project: ZooKeeper
          Issue Type: Bug
          Components: java client, security
         Environment: 	Ubuntu 16.04.3 LTS
	Open JDK version "1.8.0_191" build 25.191-b12
            Reporter: xiaoqin.fu


   In org.apache.zookeeper.ClientCnxn$SendThread, statements LOG.warn(....) don't have LOG
configuration controls.	
        void readResponse(ByteBuffer incomingBuffer) throws IOException {
            ......
			LOG.warn("Got server path " + event.getPath()
					+ " which is too short for chroot path "
					+ chrootPath);
			......					
        }
	Sensitive information about event path and chroot path may be leaked. The LOG.isWarnEnabled()
conditional statement should be added:
	    void readResponse(ByteBuffer incomingBuffer) throws IOException {
            ......
			if (LOG.isWarnEnabled())
				LOG.warn("Got server path " + event.getPath()
					+ " which is too short for chroot path "
					+ chrootPath);
			......					
        }



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Mime
View raw message