Closed
Bug 409673
Opened 17 years ago
Closed 17 years ago
Do not log Authorization header in clear text
Categories
(Cloud Services :: General, defect)
Cloud Services
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: sylvain.pasche, Assigned: hello)
Details
Attachments
(1 file)
910 bytes,
patch
|
Details | Diff | Splinter Review |
That contains the password when using Basic auth, after a small base64 decoding. Would be best to avoid it, in particular when users are starting to attach log files in bugs. Necko does it this way: http://mxr.mozilla.org/mozilla/source/netwerk/protocol/http/src/nsHttpTransaction.cpp#109
Updated•17 years ago
|
Assignee: nobody → thunder
Status: ASSIGNED → NEW
Updated•17 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 2•17 years ago
|
||
Here's the patch. It will go out in the next version.
Comment 3•17 years ago
|
||
Comment on attachment 294598 [details] [diff] [review] Don't log the auth header >- this._log.debug("HTTP Header " + key + ": " + headers[key]); >+ if (key == 'Authentication') >+ this._log.debug("HTTP Header " + key + ": (supressed)"); s/supressed/suppressed/, though you might could just do "****** (suppressed)" (to show you're suppressing the key or something) >+ else >+ this._log.debug("HTTP Header " + key + ": " + headers[key]);
Assignee | ||
Comment 4•17 years ago
|
||
Oops, typo. Fixed in committed version.
Assignee | ||
Comment 5•17 years ago
|
||
Fixed another problem (the header is called 'Authorization'). It's now released, in 0.1.12.11
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Updated•15 years ago
|
Component: Weave → General
Product: Mozilla Labs → Weave
Target Milestone: -- → ---
Updated•15 years ago
|
QA Contact: weave → general
You need to log in
before you can comment on or make changes to this bug.
Description
•