Closed Bug 409673 Opened 14 years ago Closed 14 years ago

Do not log Authorization header in clear text

Categories

(Cloud Services :: General, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: sylvain.pasche, Assigned: hello)

Details

Attachments

(1 file)

That contains the password when using Basic auth, after a small base64 decoding.

Would be best to avoid it, in particular when users are starting to attach log files in bugs.

Necko does it this way: http://mxr.mozilla.org/mozilla/source/netwerk/protocol/http/src/nsHttpTransaction.cpp#109
Indeed.  Taking bug.
Status: NEW → ASSIGNED
Assignee: nobody → thunder
Status: ASSIGNED → NEW
Status: NEW → ASSIGNED
Here's the patch.
It will go out in the next version.
Comment on attachment 294598 [details] [diff] [review]
Don't log the auth header

>-        this._log.debug("HTTP Header " + key + ": " + headers[key]);
>+        if (key == 'Authentication')
>+          this._log.debug("HTTP Header " + key + ": (supressed)");

s/supressed/suppressed/, though you might could just do "****** (suppressed)" (to show you're suppressing the key or something)

>+        else
>+          this._log.debug("HTTP Header " + key + ": " + headers[key]);
Oops, typo.  Fixed in committed version.
Fixed another problem (the header is called 'Authorization').
It's now released, in 0.1.12.11
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Component: Weave → General
Product: Mozilla Labs → Weave
Target Milestone: -- → ---
QA Contact: weave → general
You need to log in before you can comment on or make changes to this bug.