Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-3489

Possible information leakage to log without LOG configuration control LOG.isWarnEnabled()

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: java client, security
    • Labels:
      None
    • Environment:

      Ubuntu 16.04.3 LTS
      Open JDK version "1.8.0_191" build 25.191-b12

      Description

      In org.apache.zookeeper.ClientCnxn$SendThread, statements LOG.warn(....) don't have LOG configuration controls.
      void readResponse(ByteBuffer incomingBuffer) throws IOException

      { ...... LOG.warn("Got server path " + event.getPath() + " which is too short for chroot path " + chrootPath); ...... }

      Sensitive information about event path and chroot path may be leaked. The LOG.isWarnEnabled() conditional statement should be added:
      void readResponse(ByteBuffer incomingBuffer) throws IOException

      { ...... if (LOG.isWarnEnabled()) LOG.warn("Got server path " + event.getPath() + " which is too short for chroot path " + chrootPath); ...... }

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              xiaoqin.fu xiaoqin.fu
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: