[
https://issues.apache.org/jira/browse/CXF-9123?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Manuel Shenavai reopened CXF-9123:
----------------------------------
Thanks [~reta]. I can see that the now only the hash is printed:
https://github.com/apache/cxf/blob/4fc8b120d7c7363c70324ff8c790494655ad3fa4/core/src/main/java/org/apache/cxf/io/DelayedCachedOutputStreamCleaner.java#L132
This is fixing the problem mentioned in DelayedCachedOutputStreamCleaner. But I
still see the toString() of CachedOutputStream is writing its content. If
somewhere else toString() is invoked on this, a simliar problem could easily
come up. Should this toString() be changed?
> Payload written to logs
> -----------------------
>
> Key: CXF-9123
> URL: https://issues.apache.org/jira/browse/CXF-9123
> Project: CXF
> Issue Type: Bug
> Components: Core
> Reporter: Manuel Shenavai
> Priority: Major
>
> When tmp files are cleaned up by DelayedCachedOutputStreamCleaner, the
> content of the tmp file is written into the logs:
> https://github.com/apache/cxf/blob/4fc8b120d7c7363c70324ff8c790494655ad3fa4/core/src/main/java/org/apache/cxf/io/DelayedCachedOutputStreamCleaner.java#L132
> https://github.com/apache/cxf/blob/main/core/src/main/java/org/apache/cxf/io/CachedOutputStream.java#L430
> Writing the payloads into the logs is a security problem.
> Example log:
> 2025-03-24T18:34:21.17+0530 [...] "Unclosed (leaked?) stream detected:
> [org.apache.cxf.io.CachedOutputStream Content: <queryResponse [...]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
