xiaoqin.fu created THRIFT-4924:
----------------------------------

             Summary: An information leakage from TSocket
                 Key: THRIFT-4924
                 URL: https://issues.apache.org/jira/browse/THRIFT-4924
             Project: Thrift
          Issue Type: Bug
          Components: Java - Library
    Affects Versions: 0.12.0, 0.11.0
         Environment: Ubuntu 16.04.3 LTS
Open JDK version "1.8.0_191" build 25.191-b12  
            Reporter: xiaoqin.fu


In org.apache.thrift.transport.TSocket,
  public void close() {
        ......
    if (socket_ != null) {
      try {
        socket_.close();
      } catch (IOException iox) {
        LOGGER.warn("Could not close socket.", iox);
      }
      socket_ = null;
    }
  }
Sensitive information about socket input stream or output stream may be leaked. 
The LOGGER.isWarnEnabled() conditional statement should be added to the method 
close() and others such as TSocket(Socket socket) and setTimeout(int timeout):
  public void close() {
        ......
    if (socket_ != null) {
      try {
                        socket_.close();
      } catch (IOException iox) {
                if (LOGGER.isWarnEnabled())
                        LOGGER.warn("Could not close socket.", iox);
      }
      socket_ = null;
    }
  }



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Reply via email to