-
Notifications
You must be signed in to change notification settings - Fork 935
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTPCLIENT-2337: Sanitize X500Principal Logging in SSLConnectionSocketFactory #581
base: master
Are you sure you want to change the base?
Conversation
@arturobernalg I think we have kind of decided to not do it, but if no one objects I see no reason to not merge this change-set |
httpclient5/src/main/java/org/apache/hc/client5/http/ssl/SSLConnectionSocketFactory.java
Outdated
Show resolved
Hide resolved
httpclient5/src/main/java/org/apache/hc/client5/http/ssl/SSLConnectionSocketFactory.java
Outdated
Show resolved
Hide resolved
6136ad0
to
521d77b
Compare
please @garydgregory do another pass. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, TY @arturobernalg
final X500Principal peer = x509.getSubjectX500Principal(); | ||
LOG.debug("Sanitized peer principal: {}", toEscapedString(peer)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Sanitized" -> "Escaped"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
33b7c54
to
bd7e619
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
final StringBuilder sanitizedPrincipal = new StringBuilder(principalValue.length()); | ||
for (final char c : principalValue.toCharArray()) { | ||
if (Character.isISOControl(c)) { | ||
sanitizedPrincipal.append("\\x").append(String.format("%02x", (int) c)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just remembered that we already do this kind of cleaning/escaping in org.apache.hc.core5.testing.nio.LoggingIOSession.logData(ByteBuffer, String)
. There may be an opportunity for some refactoring so that we use the same semantics for printing raw data.
@arturobernalg |
…haracters in X500Principal. Escapes ISO control characters in X500Principal using hexadecimal representation.
a2e43fa
to
9acd96c
Compare
@ok2c |
This PR addresses HTTPCLIENT-2337, which involves potentially unsafe logging of
X500Principal
inSSLConnectionSocketFactory.
The issue is caused by control characters in theX500Principal
being logged without sanitization, which could interfere with log readability.