[
https://issues.apache.org/jira/browse/THRIFT-4926?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16926252#comment-16926252
]
xiaoqin.fu commented on THRIFT-4926:
------------------------------------
Dear developers:
Should I open a PR to fix it?
> An information leakage from TSaslTransport
> ------------------------------------------
>
> Key: THRIFT-4926
> URL: https://issues.apache.org/jira/browse/THRIFT-4926
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.11.0, 0.12.0
> Reporter: xiaoqin.fu
> Priority: Major
>
> In org.apache.thrift.transport.TSaslTransport,
> public void open() throws TTransportException {
> .......
> LOGGER.debug("{}: Start message handled", getRole());
> .......
> LOGGER.debug("{}: All done!", getRole());
> .......
> LOGGER.debug("{}: Main negotiation loop complete", getRole());
> .......
> LOGGER.debug("{}: SASL Client receiving last message", getRole());
> .......
> }
> Sensitive information about Role is leaked. The LOGGER.isDebugEnabled()
> conditional statements should be added:
> public void open() throws TTransportException {
> .......
> if (LOGGER.isDebugEnabled())
> LOGGER.debug("{}: Start message handled", getRole());
> .......
> if (LOGGER.isDebugEnabled())
> LOGGER.debug("{}: All done!", getRole());
> .......
> if (LOGGER.isDebugEnabled())
> LOGGER.debug("{}: Main negotiation loop complete", getRole());
> .......
> if (LOGGER.isDebugEnabled())
> LOGGER.debug("{}: SASL Client receiving last message",
> getRole());
> .......
> }
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
