[ https://issues.apache.org/jira/browse/THRIFT-4928?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16924825#comment-16924825 ]
Jens Geyer commented on THRIFT-4928: ------------------------------------ I'm not sure. I mean, we can (probably should) remove the values from the error message. But the client should know what he is sending to the server anyways, shouldn't it? I can't imagine any way how that information could be leveraged. That does not imply that it might not exist, I am aware of that. Summary for me: Send a PR and we will merge it. @all: thoughts? > Sensitive information about expected and actual reading lengths (len, got) is > leaked from TIOStreamTransport to TTransport through a TTransportException > -------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: THRIFT-4928 > URL: https://issues.apache.org/jira/browse/THRIFT-4928 > Project: Thrift > Issue Type: Bug > Components: Java - Library > Affects Versions: 0.11.0, 0.12.0 > Environment: Ubuntu 16.04.3 LTS > Open JDK version "1.8.0_191" build 25.191-b12 > Reporter: xiaoqin.fu > Priority: Major > > Operations: During Apache Thrift integration testing, I developed a > calculator application with a client and a server. The client sent a > computational command and get the result from the server. After I applied > dynamic taint analyzer (distTaint), I found bugs from taint paths finally. > The source: org.apache.thrift.transport.TIOStreamTransport: > public int read(byte[] buf, int off, int len) throws TTransportException { > if (inputStream_ == null) { > throw new TTransportException(TTransportException.NOT_OPEN, "Cannot > read from null inputStream"); > } > int bytesRead; > ...... > bytesRead = inputStream_.read(buf, off, len); > ...... > } > > The sink: org.apache.thrift.transport.TTransport, > public int readAll(byte[] buf, int off, int len) > throws TTransportException { > ...... > if (ret <= 0) { > throw new TTransportException( > "Cannot read. Remote side has closed. Tried to read " > + len > + " bytes, but only got " > + got > + " bytes. (This is often indicative of an internal > error on the server side. Please check your server logs.)"); > } > ...... > } > Sensitive information about expected and actual reading lengths (len, got) > is leaked. > The tainted path: > org.apache.thrift.transport.TIOStreamTransport --> > org.apache.thrift.transport.TTransport > > I am going to submit a CVE, so please confirm this is not a true positive. -- This message was sent by Atlassian Jira (v8.3.2#803003)