xiaoqin.fu created THRIFT-4925:
----------------------------------
Summary: An information leakage from TSaslClientTransport
Key: THRIFT-4925
URL: https://issues.apache.org/jira/browse/THRIFT-4925
Project: Thrift
Issue Type: Bug
Components: Java - Library
Affects Versions: 0.12.0, 0.11.0
Environment: Ubuntu 16.04.3 LTS
Open JDK version "1.8.0_191" build 25.191-b12
Reporter: xiaoqin.fu
In org.apache.thrift.transport.TSaslClientTransport,
protected void handleSaslStartMessage() throws TTransportException,
SaslException {
.......
LOGGER.debug("Sending mechanism name {} and initial response of length {}",
mechanism,
initialResponse.length);
.......
}
Sensitive information about mechanism is leaked. The LOGGER.isDebugEnabled()
conditional statement should be added:
protected void handleSaslStartMessage() throws TTransportException,
SaslException {
.......
if (LOGGER.isDebugEnabled())
LOGGER.debug("Sending mechanism name {} and initial response of
length {}", mechanism,
initialResponse.length);
.......
}
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
