From 70ef9aa6b990653068dc41eac2f1b13c578036ce Mon Sep 17 00:00:00 2001
From: Jonathan Basseri <misterikkit@google.com>
Date: Tue, 7 Jul 2020 11:26:43 -0700
Subject: [PATCH] Do not log HTTP response body

Because this library may handle sensitive data in HTTP responses,
callers need to be sure that data is returned only to them and not
leaked in any side channels such as logs.

This is part of the fix for CVE-2020-8555.
---
 rpc_client.go | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/rpc_client.go b/rpc_client.go
index 4e8f1af..b5ea369 100644
--- a/rpc_client.go
+++ b/rpc_client.go
@@ -4,8 +4,8 @@ import (
 	"bytes"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"io"
-	"io/ioutil"
 	"log"
 	"math/rand"
 	"net/http"
@@ -118,12 +118,7 @@ func (client QuobyteClient) sendRequest(method string, request interface{}, resp
 		if resp.StatusCode == 401 {
 			return errors.New("Unable to authenticate with Quobyte API service")
 		}
-		body, err := ioutil.ReadAll(resp.Body)
-		if err != nil {
-			return (err)
-		}
-		log.Printf("Warning: Dumping full reply body:\n%s\n", string(body))
-		return errors.New("JsonRPC failed, see plugin logfile for details")
+		return fmt.Errorf("JsonRPC failed with error code %d", resp.StatusCode)
 	}
 	return decodeResponse(resp.Body, &response)
 }