Dmytro Sylaiev created CXF-9083:
-----------------------------------
Summary: HTTPConduit prints POST all form parameters to the debug
log when handleRedirects
Key: CXF-9083
URL: https://issues.apache.org/jira/browse/CXF-9083
Project: CXF
Issue Type: Bug
Affects Versions: 3.6.4, 3.5.9
Reporter: Dmytro Sylaiev
When execute WebClient::invoke("POST", javax.ws.rs.core.Form) all Form
parameters are printed out to the debug log despite it might contain some
sensitive data. LoggingFeature does not filter or mask it since it can be used
only to mask response body JSON or XML as I understand from the reply on
CXF-9070
In the end I have the log debug message
{noformat}
[DEBUG] 16:30:15 org.apache.cxf.transport.http.HTTPConduit- Conduit
"{%URL%}WebClient.http-conduit" Transmit cached message to: %URL%:
param1...paramN&client_secret=SECRET_DATA{noformat}
where SECRET_DATA should not be printed. What I see in the code, there's no way
to filter it out or mask in any way and in my opinion, it should be fixed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
