arunmanni-ai opened a new pull request, #1738:
URL: https://github.com/apache/struts/pull/1738
## Summary
When `TokenHelper.validToken()` detects a CSRF token mismatch, the
WARN-level log message currently includes both the user-submitted form token
and the server-side session token in cleartext. Since the session token is only
removed on a successful match, the logged value remains a live credential —
visible to anyone with access to application logs.
This change redacts the token values from the WARN message and moves
operational detail to DEBUG level with sanitized input, consistent with how
`ParametersInterceptor` already handles user-supplied values elsewhere in the
codebase.
## Changes
**`TokenHelper.java`**
- WARN log no longer interpolates token values (`new Object[0]` replaces
`new Object[]{ token, sessionToken }`)
- New DEBUG-level line logs only boolean presence (`token != null`,
`sessionToken != null`), never the actual values
- Token name is passed through `normalizeSpace()` before logging, matching
the pattern in `ParametersInterceptor` (lines 221, 622)
**6 i18n properties files**
- `struts-messages.properties`, `_en`, `_da`, `_de`, `_pl`, `_pt` — removed
`{0}` and `{1}` format specifiers from `struts.internal.invalid.token`
## What is NOT changed
- Token generation, entropy, and session storage
- The `equals()` comparison and token-removal-on-success logic
- User-facing error messages (`struts.messages.invalid.token` — separate
key, untouched)
- Return values from `validToken()` and interceptor result codes
- No existing tests assert on log output content
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
