[jira] [Commented] (ZOOKEEPER-3504) An information leakage from FileTxnSnapLog to log:

Tue, 13 Aug 2019 01:20:37 -0700 


    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-3504?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16905926#comment-16905926
 ] 

xiaoqin.fu commented on ZOOKEEPER-3504:
---------------------------------------

However, in org.apache.zookeeper.ClientCnxn, lines 112 - 121:   
    static {
                ......
        disableAutoWatchReset =
            Boolean.getBoolean("zookeeper.disableAutoWatchReset");
        if (LOG.isDebugEnabled()) {
            LOG.debug("zookeeper.disableAutoWatchReset is "
                    + disableAutoWatchReset);
        }
    }
disableAutoWatchReset is a boolean variant, and should not be critical.
I don't know why this code needs LOG.isDebugEnabled() check. 
LOG.isDebugEnabled() also exists in other classes.
Another thing is that zookeeper is used in many production systems.

> An information leakage from FileTxnSnapLog to log:
> --------------------------------------------------
>
>                 Key: ZOOKEEPER-3504
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3504
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security, server
>    Affects Versions: 3.4.11, 3.4.12, 3.4.13, 3.5.5, 3.4.14
>            Reporter: xiaoqin.fu
>            Priority: Major
>
> In org.apache.zookeeper.server.persistence.FileTxnSnapLog, the statement 
> LOG.debug don't have LOG controls:
>     public void processTransaction(TxnHeader hdr,DataTree dt,
>             Map<Long, Integer> sessions, Record txn)
>         throws KeeperException.NoNodeException {  
>               ......
>         if (rc.err != Code.OK.intValue()) {
>             LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
>                     + ", error: " + rc.err + ", path: " + rc.path);
>         }  
>               ......
>     } 
> Sensitive information about hdr type or rc path was leaked. The conditional 
> statement LOG.isDebugEnabled() should be added:
>     public void processTransaction(TxnHeader hdr,DataTree dt,
>             Map<Long, Integer> sessions, Record txn)
>         throws KeeperException.NoNodeException {  
>               ......
>         if (rc.err != Code.OK.intValue()) {
>               if (LOG.isDebugEnabled())
>                               LOG.debug("Ignoring processTxn failure hdr:" + 
> hdr.getType()
>                     + ", error: " + rc.err + ", path: " + rc.path);
>         }  
>               ......
>     } 



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Reply via email to