xiaoqin.fu created ZOOKEEPER-3489:
-------------------------------------
Summary: Possible information leakage to log without LOG
configuration control LOG.isWarnEnabled()
Key: ZOOKEEPER-3489
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3489
Project: ZooKeeper
Issue Type: Bug
Components: java client, security
Environment: Ubuntu 16.04.3 LTS
Open JDK version "1.8.0_191" build 25.191-b12
Reporter: xiaoqin.fu
In org.apache.zookeeper.ClientCnxn$SendThread, statements LOG.warn(....)
don't have LOG configuration controls.
void readResponse(ByteBuffer incomingBuffer) throws IOException {
......
LOG.warn("Got server path " + event.getPath()
+ " which is too short for chroot path "
+ chrootPath);
......
}
Sensitive information about event path and chroot path may be leaked.
The LOG.isWarnEnabled() conditional statement should be added:
void readResponse(ByteBuffer incomingBuffer) throws IOException {
......
if (LOG.isWarnEnabled())
LOG.warn("Got server path " + event.getPath()
+ " which is too short for chroot path "
+ chrootPath);
......
}
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
