[jira] [Commented] (ZOOKEEPER-2405) getTGT() in Login.java mishandles confidential information

[Patrick Hunt (JIRA)]

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15213159#comment-15213159
 ] 

Patrick Hunt commented on ZOOKEEPER-2405:
-----------------------------------------

fwiw here's the toString of KerberosTicket

{noformat}
    public String toString() {
        if (destroyed)
            throw new IllegalStateException("This ticket is no longer valid");
        StringBuffer caddrBuf = new StringBuffer();
        if (clientAddresses != null) {
            for (int i = 0; i < clientAddresses.length; i++) {
                caddrBuf.append("clientAddresses[" + i + "] = " +
                                 clientAddresses[i].toString());
            }
        }
        return ("Ticket (hex) = " + "\n" +
                 (new HexDumpEncoder()).encodeBuffer(asn1Encoding) + "\n" +
                "Client Principal = " + client.toString() + "\n" +
                "Server Principal = " + server.toString() + "\n" +
                "Session Key = " + sessionKey.toString() + "\n" +
                "Forwardable Ticket " + flags[FORWARDABLE_TICKET_FLAG] + "\n" +
                "Forwarded Ticket " + flags[FORWARDED_TICKET_FLAG] + "\n" +
                "Proxiable Ticket " + flags[PROXIABLE_TICKET_FLAG] + "\n" +
                "Proxy Ticket " + flags[PROXY_TICKET_FLAG] + "\n" +
                "Postdated Ticket " + flags[POSTDATED_TICKET_FLAG] + "\n" +
                "Renewable Ticket " + flags[RENEWABLE_TICKET_FLAG] + "\n" +
                "Initial Ticket " + flags[RENEWABLE_TICKET_FLAG] + "\n" +
                "Auth Time = " + String.valueOf(authTime) + "\n" +
                "Start Time = " + String.valueOf(startTime) + "\n" +
                "End Time = " + endTime.toString() + "\n" +
                "Renew Till = " + String.valueOf(renewTill) + "\n" +
                "Client Addresses " +
                (clientAddresses == null ? " Null " : caddrBuf.toString() +
                "\n"));
    }
{noformat}


> getTGT() in Login.java mishandles confidential information
> ----------------------------------------------------------
>
>                 Key: ZOOKEEPER-2405
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2405
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: kerberos, security, server
>    Affects Versions: 3.4.8, 3.5.1, 3.6.0
>            Reporter: Patrick Hunt
>            Priority: Blocker
>             Fix For: 3.4.9, 3.5.2, 3.6.0
>
>
> We're logging the kerberos ticket when in debug mode, probably not the best 
> idea. This was identified as a "critical" issue by Fortify.
> {noformat}
>         for(KerberosTicket ticket: tickets) {
>             KerberosPrincipal server = ticket.getServer();
>             if (server.getName().equals("krbtgt/" + server.getRealm() + "@" + 
> server.getRealm())) {
>                 LOG.debug("Found tgt " + ticket + ".");
>                 return ticket;
>             }
>         }
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)