From issues-return-553-archive-asf-public=cust-asf.ponee.io@zookeeper.apache.org Fri Aug 2 11:11:02 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id C1EE6180647 for ; Fri, 2 Aug 2019 13:11:01 +0200 (CEST) Received: (qmail 21185 invoked by uid 500); 2 Aug 2019 11:11:01 -0000 Mailing-List: contact issues-help@zookeeper.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@zookeeper.apache.org Delivered-To: mailing list issues@zookeeper.apache.org Received: (qmail 21167 invoked by uid 99); 2 Aug 2019 11:11:01 -0000 Received: from mailrelay1-us-west.apache.org (HELO mailrelay1-us-west.apache.org) (209.188.14.139) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Aug 2019 11:11:01 +0000 Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 5FB4FE0220 for ; Fri, 2 Aug 2019 11:11:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 14EF1213F5 for ; Fri, 2 Aug 2019 11:11:00 +0000 (UTC) Date: Fri, 2 Aug 2019 11:11:00 +0000 (UTC) From: "xiaoqin.fu (JIRA)" To: issues@zookeeper.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (ZOOKEEPER-3489) Possible information leakage to log without LOG configuration control LOG.isWarnEnabled() MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 xiaoqin.fu created ZOOKEEPER-3489: ------------------------------------- Summary: Possible information leakage to log without LOG configuration control LOG.isWarnEnabled() Key: ZOOKEEPER-3489 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3489 Project: ZooKeeper Issue Type: Bug Components: java client, security Environment: Ubuntu 16.04.3 LTS Open JDK version "1.8.0_191" build 25.191-b12 Reporter: xiaoqin.fu In org.apache.zookeeper.ClientCnxn$SendThread, statements LOG.warn(....) don't have LOG configuration controls. void readResponse(ByteBuffer incomingBuffer) throws IOException { ...... LOG.warn("Got server path " + event.getPath() + " which is too short for chroot path " + chrootPath); ...... } Sensitive information about event path and chroot path may be leaked. The LOG.isWarnEnabled() conditional statement should be added: void readResponse(ByteBuffer incomingBuffer) throws IOException { ...... if (LOG.isWarnEnabled()) LOG.warn("Got server path " + event.getPath() + " which is too short for chroot path " + chrootPath); ...... } -- This message was sent by Atlassian JIRA (v7.6.14#76016)