xiaoqin.fu created THRIFT-4922:
----------------------------------
Summary: Sensitive information is leaked from TTransport through a
TTransportException
Key: THRIFT-4922
URL: https://issues.apache.org/jira/browse/THRIFT-4922
Project: Thrift
Issue Type: Bug
Components: Java - Library
Affects Versions: 0.12.0, 0.11.0
Environment: Ubuntu 16.04.3 LTS
Open JDK version "1.8.0_191" build 25.191-b12
Reporter: xiaoqin.fu
In org.apache.thrift.transport.TTransport,
public int readAll(byte[] buf, int off, int len)
throws TTransportException {
int got = 0;
int ret = 0;
while (got < len) {
ret = read(buf, off+got, len-got);
if (ret <= 0) {
throw new TTransportException(
"Cannot read. Remote side has closed. Tried to read "
+ len
+ " bytes, but only got "
+ got
+ " bytes. (This is often indicative of an internal
error on the server side. Please check your server logs.)");
}
got += ret;
}
return got;
}
Sensitive information about expected and actual reading lengths (len, got) is
leaked.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
