[
https://issues.apache.org/jira/browse/CXF-9123?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17939667#comment-17939667
]
Andriy Redko commented on CXF-9123:
-----------------------------------
There seems to be a reason to have CachedOutputStream::toString() implemented
this way (I hope), we may have users that rely on it and that would be a
breaking change.
> Payload written to logs
> -----------------------
>
> Key: CXF-9123
> URL: https://issues.apache.org/jira/browse/CXF-9123
> Project: CXF
> Issue Type: Bug
> Components: Core
> Reporter: Manuel Shenavai
> Priority: Major
>
> When tmp files are cleaned up by DelayedCachedOutputStreamCleaner, the
> content of the tmp file is written into the logs:
> https://github.com/apache/cxf/blob/4fc8b120d7c7363c70324ff8c790494655ad3fa4/core/src/main/java/org/apache/cxf/io/DelayedCachedOutputStreamCleaner.java#L132
> https://github.com/apache/cxf/blob/main/core/src/main/java/org/apache/cxf/io/CachedOutputStream.java#L430
> Writing the payloads into the logs is a security problem.
> Example log:
> 2025-03-24T18:34:21.17+0530 [...] "Unclosed (leaked?) stream detected:
> [org.apache.cxf.io.CachedOutputStream Content: <queryResponse [...]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
