[jira] [Commented] (HTTPCLIENT-2138) Debug Log level logs sensitive information

Wed, 17 Feb 2021 16:57:04 -0800 


    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-2138?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17286210#comment-17286210
 ] 

Cyrus Vafadari commented on HTTPCLIENT-2138:
--------------------------------------------

[~olegk], I understand your concern with wire/packet.  To elaborate on my use 
case, I would like to ship a jar with HttpClient as a dep to other users, and I 
won't have control over how they choose to configure their log4j.

I think it could be possible to work around this by setting the log level in my 
java code before the HttpClient is used, but I've not done something like this 
before.

Would you be open to a Client configuration to disable wire/packet logs? That 
config, along with masking sensitive headers, would allow me to us HttpClient 
as a java dep with confidence that an unwitting end user won't expose secrets 
with their log configs.

> Debug Log level logs sensitive information
> ------------------------------------------
>
>                 Key: HTTPCLIENT-2138
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2138
>             Project: HttpComponents HttpClient
>          Issue Type: Wish
>          Components: HttpClient (classic)
>            Reporter: Cyrus Vafadari
>            Priority: Minor
>
> When I enable debug level logging, I see
> ```
> [2021-01-20 18:02:35,862] DEBUG http-outgoing-0 >> Authorization: Basic 
> <CREDENTIALS_APPEAR_HEAR_IN_BASE64> (org.apache.http.headers:139) [2021-01-20 
> 18:02:35,884] DEBUG http-outgoing-0 >> "Authorization: Basic 
> <CREDENTIALS_APPEAR_HEAR_IN_BASE64>[\r][\n]" (org.apache.http.wire:54) 
> [2021-01-20 18:02:35,899] DEBUG http-outgoing-0 << " <title>Unauthorized 
> (401)</title>[\n]" (org.apache.http.wire:54)
> ```
> If agreed, I can open a PR to mask secrets in the debug log. If that makes 
> the log less useful, I can at least make this configurable, since in my case 
> it is a security violation to have any secrets whatsover in the logs



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to