You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@thrift.apache.org by "Jens Geyer (Jira)" <ji...@apache.org> on 2020/06/11 07:00:11 UTC
[jira] [Comment Edited] (THRIFT-4928) Sensitive information about
expected and actual reading lengths (len, got) is leaked from
TIOStreamTransport to TTransport through a TTransportException
[ https://issues.apache.org/jira/browse/THRIFT-4928?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17132975#comment-17132975 ]
Jens Geyer edited comment on THRIFT-4928 at 6/11/20, 7:00 AM:
--------------------------------------------------------------
Thank you Max, fully agree.
The unquestioned and unreflected trust on the output of half-understand tools seems kind of a modern day plague and feeds sort of an "I am important, because I found a security problem" attitude. I know that this may sound harsh to some ears, but driving a car requires a drivers license for good reason.
And that is also the reason why I ask to explain the problem in words understandable by normal mortals. While a 5000 lines log file may add highly valuable detail information, the log file alone is never enough to describe the issue in some kind of an "executive summary" that one can understand quickly.
was (Author: jensg):
Thank you Max, fully agree.
The unquestioned and unreflected trust on the output of half-understand tools seems kind of a modern day plague and feeds sort of an "I am important, because I found a security problem" attitude. I know that this may sound harsh to some ears, but driving a car requires a drivers license for good reason.
> Sensitive information about expected and actual reading lengths (len, got) is leaked from TIOStreamTransport to TTransport through a TTransportException
> --------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: THRIFT-4928
> URL: https://issues.apache.org/jira/browse/THRIFT-4928
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.11.0, 0.12.0
> Environment: Ubuntu 16.04.3 LTS
> Open JDK version "1.8.0_191" build 25.191-b12
> Reporter: xiaoqin.fu
> Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Operations: During Apache Thrift integration testing, I developed a calculator application with a client and a server. The client sent a computational command and get the result from the server. After I applied dynamic taint analyzer (distTaint), I found bugs from taint paths finally.
> The source: org.apache.thrift.transport.TIOStreamTransport:
> public int read(byte[] buf, int off, int len) throws TTransportException {
> if (inputStream_ == null) {
> throw new TTransportException(TTransportException.NOT_OPEN, "Cannot read from null inputStream");
> }
> int bytesRead;
> ......
> bytesRead = inputStream_.read(buf, off, len);
> ......
> }
>
> The sink: org.apache.thrift.transport.TTransport,
> public int readAll(byte[] buf, int off, int len)
> throws TTransportException {
> ......
> if (ret <= 0) {
> throw new TTransportException(
> "Cannot read. Remote side has closed. Tried to read "
> + len
> + " bytes, but only got "
> + got
> + " bytes. (This is often indicative of an internal error on the server side. Please check your server logs.)");
> }
> ......
> }
> Sensitive information about expected and actual reading lengths (len, got) is leaked.
> The tainted path:
> org.apache.thrift.transport.TIOStreamTransport -->
> org.apache.thrift.transport.TTransport
>
> I am going to submit a CVE, so please confirm this is not a true positive.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)