[jira] [Updated] (WW-5635) TokenHelper.validToken() includes session token in WARN log output

Lukasz Lenart (Jira) Sun, 14 Jun 2026 09:45:23 -0700


     [ 
https://issues.apache.org/jira/browse/WW-5635?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Lukasz Lenart updated WW-5635:
------------------------------
    Fix Version/s: 7.2.0

> TokenHelper.validToken() includes session token in WARN log output
> ------------------------------------------------------------------
>
>                 Key: WW-5635
>                 URL: https://issues.apache.org/jira/browse/WW-5635
>             Project: Struts 2
>          Issue Type: Improvement
>            Reporter: Arun Manni
>            Priority: Major
>             Fix For: 7.2.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> When TokenHelper.validToken() detects a CSRF token mismatch, the WARN-level 
> log message includes the server-side session token in cleartext. Since the 
> session token is only removed on a successful match, the logged value remains 
> a live credential visible to anyone with log access.
> This change keeps the form token in the WARN message (with normalizeSpace 
> sanitization) and logs full token detail only when devMode is enabled, 
> consistent with how ParametersInterceptor handles user-supplied values 
> elsewhere in the codebase.
> PR: https://github.com/apache/struts/pull/1738



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (WW-5635) TokenHelper.validToken() includes session token in WARN log output

Reply via email to