[
https://issues.apache.org/jira/browse/THRIFT-4926?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jens Geyer closed THRIFT-4926.
------------------------------
Assignee: Jens Geyer
Resolution: Invalid
Logging such messages is perfectly legit. Furthermore, the proposed "solution"
would not even fix the claim made.
> An information leakage from TSaslTransport
> ------------------------------------------
>
> Key: THRIFT-4926
> URL: https://issues.apache.org/jira/browse/THRIFT-4926
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.11.0, 0.12.0
> Reporter: xiaoqin.fu
> Assignee: Jens Geyer
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> In org.apache.thrift.transport.TSaslTransport,
> public void open() throws TTransportException {
> .......
> LOGGER.debug("{}: Start message handled", getRole());
> .......
> LOGGER.debug("{}: All done!", getRole());
> .......
> LOGGER.debug("{}: Main negotiation loop complete", getRole());
> .......
> LOGGER.debug("{}: SASL Client receiving last message", getRole());
> .......
> }
> Sensitive information about Role is leaked. The LOGGER.isDebugEnabled()
> conditional statements should be added:
> public void open() throws TTransportException {
> .......
> if (LOGGER.isDebugEnabled())
> LOGGER.debug("{}: Start message handled", getRole());
> .......
> if (LOGGER.isDebugEnabled())
> LOGGER.debug("{}: All done!", getRole());
> .......
> if (LOGGER.isDebugEnabled())
> LOGGER.debug("{}: Main negotiation loop complete", getRole());
> .......
> if (LOGGER.isDebugEnabled())
> LOGGER.debug("{}: SASL Client receiving last message",
> getRole());
> .......
> }
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
