[jira] [Updated] (CXF-9123) Payload written to logs

Manuel Shenavai (Jira) Fri, 04 Apr 2025 09:32:21 -0700


     [ 
https://issues.apache.org/jira/browse/CXF-9123?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Manuel Shenavai updated CXF-9123:
---------------------------------
    Description: 
When tmp files are cleaned up by DelayedCachedOutputStreamCleaner, the content 
of the tmp file is written into the logs:
https://github.com/apache/cxf/blob/4fc8b120d7c7363c70324ff8c790494655ad3fa4/core/src/main/java/org/apache/cxf/io/DelayedCachedOutputStreamCleaner.java#L132
https://github.com/apache/cxf/blob/main/core/src/main/java/org/apache/cxf/io/CachedOutputStream.java#L430

Writing the payloads into the logs is a security problem.

Example log:
2025-03-24T18:34:21.17+0530 [...] "Unclosed (leaked?) stream detected: 
[org.apache.cxf.io.CachedOutputStream Content: <queryResponse [...]

  was:
When tmp files are cleaned up by DelayedCachedOutputStreamCleaner, the content 
of the tmp file is written into the logs:
https://github.com/apache/cxf/blob/4fc8b120d7c7363c70324ff8c790494655ad3fa4/core/src/main/java/org/apache/cxf/io/DelayedCachedOutputStreamCleaner.java#L132
https://github.com/apache/cxf/blob/main/core/src/main/java/org/apache/cxf/io/CachedOutputStream.java#L430

Writing the payloads into the logs is a security problem.


> Payload written to logs
> -----------------------
>
>                 Key: CXF-9123
>                 URL: https://issues.apache.org/jira/browse/CXF-9123
>             Project: CXF
>          Issue Type: Bug
>          Components: Core
>            Reporter: Manuel Shenavai
>            Priority: Major
>
> When tmp files are cleaned up by DelayedCachedOutputStreamCleaner, the 
> content of the tmp file is written into the logs:
> https://github.com/apache/cxf/blob/4fc8b120d7c7363c70324ff8c790494655ad3fa4/core/src/main/java/org/apache/cxf/io/DelayedCachedOutputStreamCleaner.java#L132
> https://github.com/apache/cxf/blob/main/core/src/main/java/org/apache/cxf/io/CachedOutputStream.java#L430
> Writing the payloads into the logs is a security problem.
> Example log:
> 2025-03-24T18:34:21.17+0530 [...] "Unclosed (leaked?) stream detected: 
> [org.apache.cxf.io.CachedOutputStream Content: <queryResponse [...]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (CXF-9123) Payload written to logs

Reply via email to