[
https://issues.apache.org/jira/browse/ZOOKEEPER-2405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15213192#comment-15213192
]
Patrick Hunt commented on ZOOKEEPER-2405:
-----------------------------------------
I'd rather not remove it entirely, it seems like reasonable debug level
information. Perhaps we can print whether it's null or not and the
client/server principal if not null?
> getTGT() in Login.java mishandles confidential information
> ----------------------------------------------------------
>
> Key: ZOOKEEPER-2405
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2405
> Project: ZooKeeper
> Issue Type: Bug
> Components: kerberos, security, server
> Affects Versions: 3.4.8, 3.5.1, 3.6.0
> Reporter: Patrick Hunt
> Priority: Blocker
> Fix For: 3.4.9, 3.5.2, 3.6.0
>
>
> We're logging the kerberos ticket when in debug mode, probably not the best
> idea. This was identified as a "critical" issue by Fortify.
> {noformat}
> for(KerberosTicket ticket: tickets) {
> KerberosPrincipal server = ticket.getServer();
> if (server.getName().equals("krbtgt/" + server.getRealm() + "@" +
> server.getRealm())) {
> LOG.debug("Found tgt " + ticket + ".");
> return ticket;
> }
> }
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
