[jira] [Commented] (HTTPCLIENT-2138) Debug Log level logs sensitive information

Wed, 17 Feb 2021 14:20:06 -0800 


    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-2138?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17286176#comment-17286176
 ] 

Oleg Kalnichevski commented on HTTPCLIENT-2138:
-----------------------------------------------

[~cyrusv]  [~michael-o] This subject has been discussed on many prior 
occasions. The problem is that masking some of header values in header logs is 
of little use if the same header values would still be visible in the HTTP/1.1 
wire and HTTP/2 packet logs.

The only reasonable practical solution that I personally see is to have a log 
filter [1] that masks content from all log categories and priorities based on 
patterns (such as regular expressions).

Logging filters is out of scope for us as a project, though, you are welcome to 
contribute a section describing the technique to HC 4.x and HC 5.x logging 
guides [2][3]

Oleg
 [1] [http://logging.apache.org/log4j/2.x/manual/filters.html]
 [2] [http://hc.apache.org/httpcomponents-client-4.5.x/logging.html]
 [3] [http://hc.apache.org/httpcomponents-client-5.0.x/logging.html]

> Debug Log level logs sensitive information
> ------------------------------------------
>
>                 Key: HTTPCLIENT-2138
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2138
>             Project: HttpComponents HttpClient
>          Issue Type: Wish
>          Components: HttpClient (classic)
>            Reporter: Cyrus Vafadari
>            Priority: Minor
>
> When I enable debug level logging, I see
> ```
> [2021-01-20 18:02:35,862] DEBUG http-outgoing-0 >> Authorization: Basic 
> <CREDENTIALS_APPEAR_HEAR_IN_BASE64> (org.apache.http.headers:139) [2021-01-20 
> 18:02:35,884] DEBUG http-outgoing-0 >> "Authorization: Basic 
> <CREDENTIALS_APPEAR_HEAR_IN_BASE64>[\r][\n]" (org.apache.http.wire:54) 
> [2021-01-20 18:02:35,899] DEBUG http-outgoing-0 << " <title>Unauthorized 
> (401)</title>[\n]" (org.apache.http.wire:54)
> ```
> If agreed, I can open a PR to mask secrets in the debug log. If that makes 
> the log less useful, I can at least make this configurable, since in my case 
> it is a security violation to have any secrets whatsover in the logs



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to