[jira] [Updated] (HTTPCLIENT-2337) Potentially unsafe logging of X500Principal in SSLConnectionSocketFactory

[Oleg Kalnichevski (Jira)]

     [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-2337?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Oleg Kalnichevski updated HTTPCLIENT-2337:
------------------------------------------
    Affects Version/s:     (was: 5.0)
                           (was: 4.3.5.1-android)
                           (was: 4.4.1)
                           (was: 4.5)
                           (was: 4.5.1)
                           (was: 4.5.2)
                           (was: 5.0 Alpha2)
                           (was: 4.5.3)
                           (was: 4.5.4)
                           (was: 5.0 Alpha3)
                           (was: 5.0 Beta1)
                           (was: 4.5.5)
                           (was: 5.0 Beta2)
                           (was: 4.5.6)
                           (was: 4.5.7)
                           (was: 5.0 Beta3)
                           (was: 5.0 Beta4)
                           (was: 4.5.8)
                           (was: 4.5.9)
                           (was: 5.0 Beta5)
                           (was: 4.5.10)
                           (was: 5.0 Beta6)
                           (was: 4.5.11)
                           (was: 5.0 Beta7)
                           (was: 4.5.12)
                           (was: 5.1-beta1)
                           (was: 5.0.1)
                           (was: 4.5.13)
                           (was: 5.0.2)
                           (was: 5.0.3)
                           (was: 5.0.4)
                           (was: 5.1)
                           (was: 5.2-alpha1)
                           (was: 5.1.1)
                           (was: 5.2-beta1)
                           (was: 5.1.2)
                           (was: 5.1.3)
                           (was: 5.1.4)
                           (was: 5.2)
                           (was: 5.2.1)
                           (was: 5.3-alpha1)
                           (was: 4.5.15)
                           (was: 5.2.2)
                           (was: 5.3)
                           (was: 5.4-alpha1)
                           (was: 5.2.3)
                           (was: 5.4-alpha2)
                           (was: 5.3.2)
                           (was: 5.4-beta2)

> Potentially unsafe logging of X500Principal in SSLConnectionSocketFactory
> -------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-2337
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2337
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>    Affects Versions: 4.5.14, 5.3.1, 5.4-beta1
>            Reporter: Winfried Gerlach
>            Priority: Major
>         Attachments: image-2024-09-03-08-43-06-757.png
>
>
> We noticed that in both Apache HTTP Client 4.x and 5.x, 
> {{SSLConnectionSocketFactory}} logs the X500Principal on DEBUG level without 
> sanitizing the fields. If, e.g., the CN contains control characters like 
> {{\b}} or {{\n}}, this could be used by an attacker to tamper with the log of 
> the application (remove stuff, add line breaks etc.).
> !image-2024-09-03-08-43-06-757.png!
> In the screenshot, the CN has a \b after "Control", so the last letter "l" is 
> removed from the log.
> We don't consider this behavior particularly dangerous because it happens on 
> debug level only and the logger can also be turned off completely if needed.
> You may still want to think about sanitizing the RDN values before logging or 
> somehow avoid ing to log the X500Principal completely.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org