[
https://issues.apache.org/jira/browse/ZOOKEEPER-2405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15271416#comment-15271416
]
Patrick Hunt commented on ZOOKEEPER-2405:
-----------------------------------------
My bad, it looks like the original code always assumed the set contained valid
tickets (which seems reasonable). Based on that the null ticket check is not
necessary afaict. Does that make sense? In checking the code from openjdk it
looks like the client/server for a ticket can never be null (the docs are not
clear). So no null check is necessary for the getName calls:
http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/6-b14/javax/security/auth/kerberos/KerberosTicket.java#KerberosTicket.init%28byte%5B%5D%2Cjavax.security.auth.kerberos.KerberosPrincipal%2Cjavax.security.auth.kerberos.KerberosPrincipal%2Cbyte%5B%5D%2Cint%2Cboolean%5B%5D%2Cjava.util.Date%2Cjava.util.Date%2Cjava.util.Date%2Cjava.util.Date%2Cjava.net.InetAddress%5B%5D%29
Michael can you update the patch?
> getTGT() in Login.java mishandles confidential information
> ----------------------------------------------------------
>
> Key: ZOOKEEPER-2405
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2405
> Project: ZooKeeper
> Issue Type: Bug
> Components: kerberos, security, server
> Affects Versions: 3.4.8, 3.5.1, 3.6.0
> Reporter: Patrick Hunt
> Assignee: Michael Han
> Priority: Blocker
> Fix For: 3.4.9, 3.5.2, 3.6.0
>
> Attachments: ZOOKEEPER-2405.patch, ZOOKEEPER-2405.patch
>
>
> We're logging the kerberos ticket when in debug mode, probably not the best
> idea. This was identified as a "critical" issue by Fortify.
> {noformat}
> for(KerberosTicket ticket: tickets) {
> KerberosPrincipal server = ticket.getServer();
> if (server.getName().equals("krbtgt/" + server.getRealm() + "@" +
> server.getRealm())) {
> LOG.debug("Found tgt " + ticket + ".");
> return ticket;
> }
> }
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
