Closed Bug 409673 Opened 14 years ago Closed 14 years ago
Do not log Authorization header in clear text
That contains the password when using Basic auth, after a small base64 decoding. Would be best to avoid it, in particular when users are starting to attach log files in bugs. Necko does it this way: http://mxr.mozilla.org/mozilla/source/netwerk/protocol/http/src/nsHttpTransaction.cpp#109
Indeed. Taking bug.
Status: NEW → ASSIGNED
Assignee: nobody → thunder
Status: ASSIGNED → NEW
Here's the patch. It will go out in the next version.
Comment on attachment 294598 [details] [diff] [review] Don't log the auth header >- this._log.debug("HTTP Header " + key + ": " + headers[key]); >+ if (key == 'Authentication') >+ this._log.debug("HTTP Header " + key + ": (supressed)"); s/supressed/suppressed/, though you might could just do "****** (suppressed)" (to show you're suppressing the key or something) >+ else >+ this._log.debug("HTTP Header " + key + ": " + headers[key]);
Oops, typo. Fixed in committed version.
Fixed another problem (the header is called 'Authorization'). It's now released, in 0.1.12.11
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Component: Weave → General
Product: Mozilla Labs → Weave
Target Milestone: -- → ---
You need to log in before you can comment on or make changes to this bug.