If logging is higher than DEBUG level, the message will not print. The
Log.debug() method will check the log level internally. Adding the
external check is simply a potential performance optimization.
Thanks.
On Mon, Aug 12, 2019, 10:41 PM Xiaoqin Fu <xiaoqin...@gmail.com> wrote:
> Dear developers:
> I am a Ph.D. student at Washington State University. I applied dynamic
> taint analyzer (distTaint) to Apache Zookeeper (version 3.4.11). And then I
> find a security vulnerability, that exists from 3.4.11-3.4.14 and 3.5.5,
> from tainted paths.
>
> An information leakage from FileTxnSnapLog to log:
> In org.apache.zookeeper.server.persistence.FileTxnSnapLog, the statement
> LOG.debug don't have LOG controls:
> public void processTransaction(TxnHeader hdr,DataTree dt,
> Map<Long, Integer> sessions, Record txn)
> throws KeeperException.NoNodeException {
> ......
> if (rc.err != Code.OK.intValue()) {
> LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
> + ", error: " + rc.err + ", path: " + rc.path);
> }
> ......
> }
>
> Sensitive information about hdr type or rc path was leaked. The conditional
> statement LOG.isDebugEnabled() should be added:
> public void processTransaction(TxnHeader hdr,DataTree dt,
> Map<Long, Integer> sessions, Record txn)
> throws KeeperException.NoNodeException {
> ......
> if (rc.err != Code.OK.intValue()) {
> if (LOG.isDebugEnabled())
> LOG.debug("Ignoring processTxn failure hdr:" + hdr.getType()
> + ", error: " + rc.err + ", path: " + rc.path);
> }
> ......
> }
> In JIRA, it is at https://issues.apache.org/jira/browse/ZOOKEEPER-3504
> Please help me confirm it.
>
> Thank you very much!
> Yours sincerely
> Xiaoqin Fu
>
