[
https://issues.apache.org/jira/browse/HTTPCLIENT-2337?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17883611#comment-17883611
]
ASF subversion and git services commented on HTTPCLIENT-2337:
-------------------------------------------------------------
Commit e9560a4ae6518a042d460594e61c0220aee72fb3 in httpcomponents-client's
branch refs/heads/master from Arturo Bernal
[ https://gitbox.apache.org/repos/asf?p=httpcomponents-client.git;h=e9560a4ae ]
HTTPCLIENT-2337: Sanitize X500Principal Logging in ClientTlsStrategy classes
(#581)
* HTTPCLIENT-2337: Add sanitizeX500Principal method to escape control
characters in X500Principal. Escapes ISO control characters in X500Principal
using hexadecimal representation.
* Remove "Escaped" from debug log message
* Use a single call to append() for each character in toEscapedString()
---------
Co-authored-by: Gary Gregory <[email protected]>
> Potentially unsafe logging of X500Principal in SSLConnectionSocketFactory
> -------------------------------------------------------------------------
>
> Key: HTTPCLIENT-2337
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2337
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Affects Versions: 4.5.14, 5.3.1, 5.4-beta1
> Reporter: Winfried Gerlach
> Priority: Trivial
> Labels: volunteers-wanted
> Fix For: Stuck
>
> Attachments: example-cert.pem, image-2024-09-03-08-43-06-757.png
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> We noticed that in both Apache HTTP Client 4.x and 5.x,
> {{SSLConnectionSocketFactory}} logs the X500Principal on DEBUG level without
> sanitizing the fields. If, e.g., the CN contains control characters like
> {{\b}} or {{{}\n{}}}, this could be used by an attacker to tamper with the
> log of the application (remove stuff, add line breaks etc.).
> !image-2024-09-03-08-43-06-757.png!
> In the screenshot, the CN has a \b after "Control", so the last letter "l" is
> removed from the log.
> We don't consider this behavior particularly dangerous because it happens on
> debug level only and the logger can also be turned off completely if needed.
> You may still want to think about sanitizing the RDN values before logging or
> somehow avoiding to log the X500Principal completely.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
