xiaoqin.fu created THRIFT-4926: ---------------------------------- Summary: An information leakage from TSaslTransport Key: THRIFT-4926 URL: https://issues.apache.org/jira/browse/THRIFT-4926 Project: Thrift Issue Type: Bug Components: Java - Library Affects Versions: 0.12.0, 0.11.0 Reporter: xiaoqin.fu
In org.apache.thrift.transport.TSaslTransport, public void open() throws TTransportException { ....... LOGGER.debug("{}: Start message handled", getRole()); ....... LOGGER.debug("{}: All done!", getRole()); ....... LOGGER.debug("{}: Main negotiation loop complete", getRole()); ....... LOGGER.debug("{}: SASL Client receiving last message", getRole()); ....... } Sensitive information about Role is leaked. The LOGGER.isDebugEnabled() conditional statements should be added: public void open() throws TTransportException { ....... if (LOGGER.isDebugEnabled()) LOGGER.debug("{}: Start message handled", getRole()); ....... if (LOGGER.isDebugEnabled()) LOGGER.debug("{}: All done!", getRole()); ....... if (LOGGER.isDebugEnabled()) LOGGER.debug("{}: Main negotiation loop complete", getRole()); ....... if (LOGGER.isDebugEnabled()) LOGGER.debug("{}: SASL Client receiving last message", getRole()); ....... } -- This message was sent by Atlassian JIRA (v7.6.14#76016)