zookeeper-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "xiaoqin.fu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-3504) An information leakage from FileTxnSnapLog to log:
Date Tue, 13 Aug 2019 08:20:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-3504?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16905926#comment-16905926
] 

xiaoqin.fu commented on ZOOKEEPER-3504:
---------------------------------------

However, in org.apache.zookeeper.ClientCnxn, lines 112 - 121:   
    static {
		......
        disableAutoWatchReset =
            Boolean.getBoolean("zookeeper.disableAutoWatchReset");
        if (LOG.isDebugEnabled()) {
            LOG.debug("zookeeper.disableAutoWatchReset is "
                    + disableAutoWatchReset);
        }
    }
disableAutoWatchReset is a boolean variant, and should not be critical.
I don't know why this code needs LOG.isDebugEnabled() check. LOG.isDebugEnabled() also exists
in other classes.
Another thing is that zookeeper is used in many production systems.

> An information leakage from FileTxnSnapLog to log:
> --------------------------------------------------
>
>                 Key: ZOOKEEPER-3504
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3504
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security, server
>    Affects Versions: 3.4.11, 3.4.12, 3.4.13, 3.5.5, 3.4.14
>            Reporter: xiaoqin.fu
>            Priority: Major
>
> In org.apache.zookeeper.server.persistence.FileTxnSnapLog, the statement LOG.debug don't
have LOG controls:
>     public void processTransaction(TxnHeader hdr,DataTree dt,
>             Map<Long, Integer> sessions, Record txn)
>         throws KeeperException.NoNodeException {  
> 		......
>         if (rc.err != Code.OK.intValue()) {
>             LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
>                     + ", error: " + rc.err + ", path: " + rc.path);
>         }  
> 		......
>     } 
> Sensitive information about hdr type or rc path was leaked. The conditional statement
LOG.isDebugEnabled() should be added:
>     public void processTransaction(TxnHeader hdr,DataTree dt,
>             Map<Long, Integer> sessions, Record txn)
>         throws KeeperException.NoNodeException {  
> 		......
>         if (rc.err != Code.OK.intValue()) {
>         	if (LOG.isDebugEnabled())
> 				LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
>                     + ", error: " + rc.err + ", path: " + rc.path);
>         }  
> 		......
>     } 



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Mime
View raw message