xiaoqin.fu created THRIFT-4923: ---------------------------------- Summary: An information leakage from TIOStreamTransport Key: THRIFT-4923 URL: https://issues.apache.org/jira/browse/THRIFT-4923 Project: Thrift Issue Type: Bug Components: Java - Library Affects Versions: 0.12.0, 0.11.0 Environment: Ubuntu 16.04.3 LTS Open JDK version "1.8.0_191" build 25.191-b12 Reporter: xiaoqin.fu
In org.apache.thrift.transport.TIOStreamTransport, public void close() { if (inputStream_ != null) { try { inputStream_.close(); } catch (IOException iox) { LOGGER.warn("Error closing input stream.", iox); } inputStream_ = null; } if (outputStream_ != null) { try { outputStream_.close(); } catch (IOException iox) { LOGGER.warn("Error closing output stream.", iox); } outputStream_ = null; } } Sensitive information about socket input stream or output stream is leaked. The LOGGER.isWarnEnabled() conditional statement should be added: public void close() { if (inputStream_ != null) { try { inputStream_.close(); } catch (IOException iox) { if (LOGGER.isWarnEnabled()) LOGGER.warn("Error closing input stream.", iox); } inputStream_ = null; } if (outputStream_ != null) { try { outputStream_.close(); } catch (IOException iox) { if (LOGGER.isWarnEnabled()) LOGGER.warn("Error closing output stream.", iox); } outputStream_ = null; } } -- This message was sent by Atlassian JIRA (v7.6.14#76016)