[jira] [Created] (THRIFT-4925) An information leakage from TSaslClientTransport

xiaoqin.fu (JIRA) Mon, 12 Aug 2019 22:54:22 -0700

xiaoqin.fu created THRIFT-4925:
----------------------------------

             Summary: An information leakage from TSaslClientTransport
                 Key: THRIFT-4925
                 URL: https://issues.apache.org/jira/browse/THRIFT-4925
             Project: Thrift
          Issue Type: Bug
          Components: Java - Library
    Affects Versions: 0.12.0, 0.11.0
         Environment: Ubuntu 16.04.3 LTS
Open JDK version "1.8.0_191" build 25.191-b12
            Reporter: xiaoqin.fu



In org.apache.thrift.transport.TSaslClientTransport, 
  protected void handleSaslStartMessage() throws TTransportException, 
SaslException {
    .......
    LOGGER.debug("Sending mechanism name {} and initial response of length {}", 
mechanism,
        initialResponse.length);
    .......
  }
Sensitive information about mechanism is leaked. The LOGGER.isDebugEnabled() 
conditional statement should be added:
  protected void handleSaslStartMessage() throws TTransportException, 
SaslException {
    .......
        if (LOGGER.isDebugEnabled())
                LOGGER.debug("Sending mechanism name {} and initial response of 
length {}", mechanism,
                        initialResponse.length);
    .......
  }



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

[jira] [Created] (THRIFT-4925) An information leakage from TSaslClientTransport

Reply via email to