Andor Molnar created ZOOKEEPER-5058:
---------------------------------------
Summary: Remove special characters from ensemble name before
logging in EnsembleAuthenticationProvider
Key: ZOOKEEPER-5058
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-5058
Project: ZooKeeper
Issue Type: Improvement
Components: security, server
Affects Versions: 3.8.6, 3.9.5
Reporter: Andor Molnar
Assignee: Andor Molnar
{{EnsembleAuthenticationProvider }}is intended to prevent a client from
accidentally connecting to the wrong ZooKeeper ensemble. When a client sends a
standard ZooKeeper {{auth}} request with scheme {{{}ensemble{}}}, the request
is parsed by the normal network request path and dispatched to the provider.
There is no sanitization step before the user-controlled value is emitted to
the logger. Clients could corrupt the logfile in the same that we've seen in
ZOOKEEPER-3979.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
