xiaoqin.fu created THRIFT-4926:
----------------------------------
Summary: An information leakage from TSaslTransport
Key: THRIFT-4926
URL: https://issues.apache.org/jira/browse/THRIFT-4926
Project: Thrift
Issue Type: Bug
Components: Java - Library
Affects Versions: 0.12.0, 0.11.0
Reporter: xiaoqin.fu
In org.apache.thrift.transport.TSaslTransport,
public void open() throws TTransportException {
.......
LOGGER.debug("{}: Start message handled", getRole());
.......
LOGGER.debug("{}: All done!", getRole());
.......
LOGGER.debug("{}: Main negotiation loop complete", getRole());
.......
LOGGER.debug("{}: SASL Client receiving last message", getRole());
.......
}
Sensitive information about Role is leaked. The LOGGER.isDebugEnabled()
conditional statements should be added:
public void open() throws TTransportException {
.......
if (LOGGER.isDebugEnabled())
LOGGER.debug("{}: Start message handled", getRole());
.......
if (LOGGER.isDebugEnabled())
LOGGER.debug("{}: All done!", getRole());
.......
if (LOGGER.isDebugEnabled())
LOGGER.debug("{}: Main negotiation loop complete", getRole());
.......
if (LOGGER.isDebugEnabled())
LOGGER.debug("{}: SASL Client receiving last message",
getRole());
.......
}
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
