...
Noncompliant Code Example
Logged Log messages with sensitive information should not be elided from printed to the console display for security reasons (a possible example might be passenger age). The java.util.logging.Logger class supports different logging levels that can be used for classifying such information. These are FINEST, FINER, FINE, CONFIG, INFO, WARNING and SEVERE. The By default, the INFO, WARNING and SEVERE levels log print the message to the console, which is accessible by end users (console) and system administrators.
This noncompliant code example assumes that the log message is not so sensitive as appear in other destinations, such as system log files, but is too sensitive to appear on a console display.
| Code Block | ||
|---|---|---|
| ||
logger.info("Age: " + passengerAge);
|
...
This compliant solution logs at a level below INFO — FINEST, in this case — to prevent the passenger age from being displayed on the console. It also makes sure that such messages do not appear on the console. Thus the age is not actually logged.
| Code Block | ||
|---|---|---|
| ||
// make sure that all handlers only print log messages rated INFO or higher
Handler handlers[] = logger.getHandlers();
for (int i = 0; i < handlers.length; i++) {
handlers[i].setLevel(Level.INFO);
}
// ...
logger.finest("Age: " + passengerAge);
|
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="567723a3d9fd0180-26609cca-49654389-8d31a838-945b05ea9b0813003a930174"><ac:plain-text-body><![CDATA[ | [[MITRE 2009 | AA. Bibliography#MITRE 09]] | [CWE ID 532 | http://cwe.mitre.org/data/definitions/532.html] "Information Exposure Through Log Files" | ]]></ac:plain-text-body></ac:structured-macro> |
| CWE ID 533 "Information Exposure Through Server Log Files" | ||||
| CWE ID 359 "Privacy Violation" | ||||
| CWE ID 542 "Information Exposure Through Cleanup Log Files" |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="911645272b6e336c-63e3aa77-43ae48d9-ae278acc-3674f28c44624e5b62dd8660"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | Class | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7e0e5a8e2cc60854-59fbe351-442e4fe4-bb9a9a9c-959c2b6aa27e02326495f5c4"><ac:plain-text-body><![CDATA[ | [[Chess 2007 | AA. Bibliography#Chess 07]] | 11.1 Privacy and Regulation: Handling Private Information | ]]></ac:plain-text-body></ac:structured-macro> | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="38f5bdc6ac34ecb9-b3f12c65-46b84da3-9585b027-566dc0b1b18d674695c13fc8"><ac:plain-text-body><![CDATA[ | [[CVE 2008 | AA. Bibliography#CVE 08]] | [CVE-2005-2990 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2990] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6b429c4f3dd604e7-4e6d5da4-42ee4388-b6e091b6-9dcca9b27e39548fa766fcf5"><ac:plain-text-body><![CDATA[ | [[Sun 2006 | AA. Bibliography#Sun 06]] | [Java Logging Overview | http://java.sun.com/javase/6/docs/technotes/guides/logging/overview.html] | ]]></ac:plain-text-body></ac:structured-macro> |
...