Skip to content

Commit

Permalink
Do not log HTTP response body
Browse files Browse the repository at this point in the history 
Because this library may handle sensitive data in HTTP responses,
callers need to be sure that data is returned only to them and not
leaked in any side channels such as logs.

This is part of the fix for CVE-2020-8555.
  • Loading branch information
Jonathan Basseri committed Jul 7, 2020
1 parent a95a89e commit 70ef9aa
Showing 1 changed file with 2 additions and 7 deletions.
9 changes: 2 additions & 7 deletions rpc_client.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ import (
"bytes"
"encoding/json"
"errors"
"fmt"
"io"
"io/ioutil"
"log"
"math/rand"
"net/http"
Expand Down Expand Up @@ -118,12 +118,7 @@ func (client QuobyteClient) sendRequest(method string, request interface{}, resp
if resp.StatusCode == 401 {
return errors.New("Unable to authenticate with Quobyte API service")
}
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
return (err)
}
log.Printf("Warning: Dumping full reply body:\n%s\n", string(body))
return errors.New("JsonRPC failed, see plugin logfile for details")
return fmt.Errorf("JsonRPC failed with error code %d", resp.StatusCode)
}
return decodeResponse(resp.Body, &response)
}

0 comments on commit 70ef9aa

Please sign in to comment.