Arun Manni created WW-5635:
------------------------------
Summary: TokenHelper.validToken() includes session token in WARN
log output
Key: WW-5635
URL: https://issues.apache.org/jira/browse/WW-5635
Project: Struts 2
Issue Type: Improvement
Reporter: Arun Manni
When TokenHelper.validToken() detects a CSRF token mismatch, the WARN-level log
message includes the server-side session token in cleartext. Since the session
token is only removed on a successful match, the logged value remains a live
credential visible to anyone with log access.
This change keeps the form token in the WARN message (with normalizeSpace
sanitization) and logs full token detail only when devMode is enabled,
consistent with how ParametersInterceptor handles user-supplied values
elsewhere in the codebase.
PR: https://github.com/apache/struts/pull/1738
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
