Winfried Gerlach created HTTPCLIENT-2337:
--------------------------------------------
Summary: Potentially unsafe logging of X500Principal in
SSLConnectionSocketFactory
Key: HTTPCLIENT-2337
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2337
Project: HttpComponents HttpClient
Issue Type: Improvement
Affects Versions: 5.4-beta1, 5.4-alpha2, 5.4-alpha1, 5.3.1, 5.3,
5.3-alpha1, 5.2.1, 5.2, 5.2-beta1, 5.2-alpha1, 5.2.3, 5.2.2, 5.1.4, 5.1.3,
5.1.2, 5.1.1, 5.1, 5.1-beta1, 5.0, 5.0 Beta7, 5.0 Beta6, 5.0 Beta5, 5.0 Beta4,
5.0 Beta3, 5.0 Beta2, 5.0 Beta1, 5.0 Alpha3, 5.0 Alpha2, 5.0.4, 5.0.3, 5.0.2,
5.0.1, 4.5.14, 4.5.13, 4.5.12, 4.5.11, 4.5.10, 4.5.9, 4.5.8, 4.5.7, 4.5.6,
4.5.5, 4.5.4, 4.5.3, 4.5.2, 4.5.1, 4.5, 4.4.1, 4.3.5.1-android, 4.5.15, 5.3.2,
5.4-beta2
Reporter: Winfried Gerlach
Attachments: image-2024-09-03-08-43-06-757.png
We noticed that in both Apache HTTP Client 4.x and 5.x,
{{SSLConnectionSocketFactory}} logs the X500Principal on DEBUG level without
sanitizing the fields. If, e.g., the CN contains control characters like {{\b}}
or {{\n}}, this could be used by an attacker to tamper with the log of the
application (remove stuff, add line breaks etc.).
!image-2024-09-03-08-43-06-757.png|thumbnail!
In the screenshot, the CN has a \b after "Control", so the last letter "l" is
removed from the log.
We don't consider this behavior particularly dangerous because it happens on
debug level only and the logger can also be turned off completely if needed.
You may still want to think about sanitizing the RDN values before logging or
somehow avoid to log the X500Principal completely.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org
