[
https://issues.apache.org/jira/browse/HTTPCLIENT-2138?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17286157#comment-17286157
]
Michael Osipov commented on HTTPCLIENT-2138:
--------------------------------------------
{{#toMaskedString()}} regardless of the implementation sounds interesting for
those who need it. {{toString()}} should be left untouched.
For me, it kills a lot of context information because I do use it to analyze
issues. It could be any field containing sensitive information not just
{((Proxy-)Authorization}}. For me, this should not be the default, but
configurable at some point. It don't know whether at client creation time or
request config.
[~olegk], WDYT?
> Debug Log level logs sensitive information
> ------------------------------------------
>
> Key: HTTPCLIENT-2138
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2138
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (classic)
> Reporter: Cyrus Vafadari
> Priority: Major
>
> When I enable debug level logging, I see
> ```
> [2021-01-20 18:02:35,862] DEBUG http-outgoing-0 >> Authorization: Basic
> <CREDENTIALS_APPEAR_HEAR_IN_BASE64> (org.apache.http.headers:139) [2021-01-20
> 18:02:35,884] DEBUG http-outgoing-0 >> "Authorization: Basic
> <CREDENTIALS_APPEAR_HEAR_IN_BASE64>[\r][\n]" (org.apache.http.wire:54)
> [2021-01-20 18:02:35,899] DEBUG http-outgoing-0 << " <title>Unauthorized
> (401)</title>[\n]" (org.apache.http.wire:54)
> ```
> If agreed, I can open a PR to mask secrets in the debug log. If that makes
> the log less useful, I can at least make this configurable, since in my case
> it is a security violation to have any secrets whatsover in the logs
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
