From issues-return-563-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org Fri Aug 2 16:51:01 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 9F226180647 for ; Fri, 2 Aug 2019 18:51:01 +0200 (CEST) Received: (qmail 4023 invoked by uid 500); 2 Aug 2019 16:51:01 -0000 Mailing-List: contact issues-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@zookeeper.apache.org Delivered-To: mailing list issues@zookeeper.apache.org Received: (qmail 4007 invoked by uid 99); 2 Aug 2019 16:51:01 -0000 Received: from mailrelay1-us-west.apache.org (HELO mailrelay1-us-west.apache.org) (209.188.14.139) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Aug 2019 16:51:01 +0000 Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 6C5BAE2F8C for ; Fri, 2 Aug 2019 16:51:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 261AB2419D for ; Fri, 2 Aug 2019 16:51:00 +0000 (UTC) Date: Fri, 2 Aug 2019 16:51:00 +0000 (UTC) From: "xiaoqin.fu (JIRA)" To: issues@zookeeper.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (ZOOKEEPER-3489) Possible information leakage to log without LOG configuration control LOG.isWarnEnabled() MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/ZOOKEEPER-3489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16899035#comment-16899035 ] xiaoqin.fu commented on ZOOKEEPER-3489: --------------------------------------- I have asked security@apache.org for a CVE ID. > Possible information leakage to log without LOG configuration control LOG.isWarnEnabled() > ----------------------------------------------------------------------------------------- > > Key: ZOOKEEPER-3489 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3489 > Project: ZooKeeper > Issue Type: Bug > Components: java client, security > Environment: Ubuntu 16.04.3 LTS > Open JDK version "1.8.0_191" build 25.191-b12 > Reporter: xiaoqin.fu > Priority: Major > > In org.apache.zookeeper.ClientCnxn$SendThread, statements LOG.warn(....) don't have LOG configuration controls. > void readResponse(ByteBuffer incomingBuffer) throws IOException { > ...... > LOG.warn("Got server path " + event.getPath() > + " which is too short for chroot path " > + chrootPath); > ...... > } > Sensitive information about event path and chroot path may be leaked. The LOG.isWarnEnabled() conditional statement should be added: > void readResponse(ByteBuffer incomingBuffer) throws IOException { > ...... > if (LOG.isWarnEnabled()) > LOG.warn("Got server path " + event.getPath() > + " which is too short for chroot path " > + chrootPath); > ...... > } -- This message was sent by Atlassian JIRA (v7.6.14#76016)