[jira] [Closed] (THRIFT-4925) An information leakage from TSaslClientTransport

Jens Geyer (Jira) Fri, 12 Jun 2020 13:01:07 -0700


     [ 
https://issues.apache.org/jira/browse/THRIFT-4925?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Jens Geyer closed THRIFT-4925.
------------------------------
      Assignee: Jens Geyer
    Resolution: Invalid

Logging such messages is perfectly legit. Furthermore, the proposed "solution" 
would not even fix the claim made.

> An information leakage from TSaslClientTransport
> ------------------------------------------------
>
>                 Key: THRIFT-4925
>                 URL: https://issues.apache.org/jira/browse/THRIFT-4925
>             Project: Thrift
>          Issue Type: Bug
>          Components: Java - Library
>    Affects Versions: 0.11.0, 0.12.0
>         Environment: Ubuntu 16.04.3 LTS
> Open JDK version "1.8.0_191" build 25.191-b12
>            Reporter: xiaoqin.fu
>            Assignee: Jens Geyer
>            Priority: Major
>
> In org.apache.thrift.transport.TSaslClientTransport, 
>   protected void handleSaslStartMessage() throws TTransportException, 
> SaslException {
>     .......
>     LOGGER.debug("Sending mechanism name {} and initial response of length 
> {}", mechanism,
>         initialResponse.length);
>     .......
>   }
> Sensitive information about mechanism is leaked. The LOGGER.isDebugEnabled() 
> conditional statement should be added:
>   protected void handleSaslStartMessage() throws TTransportException, 
> SaslException {
>     .......
>       if (LOGGER.isDebugEnabled())
>               LOGGER.debug("Sending mechanism name {} and initial response of 
> length {}", mechanism,
>                       initialResponse.length);
>     .......
>   }



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Closed] (THRIFT-4925) An information leakage from TSaslClientTransport

Reply via email to