[
https://issues.apache.org/jira/browse/WW-5635?focusedWorklogId=1025123&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1025123
]
ASF GitHub Bot logged work on WW-5635:
--------------------------------------
Author: ASF GitHub Bot
Created on: 14/Jun/26 17:00
Start Date: 14/Jun/26 17:00
Worklog Time Spent: 10m
Work Description: arunmanni-ai commented on PR #1738:
URL: https://github.com/apache/struts/pull/1738#issuecomment-4702434936
Updated — using Dispatcher.getInstance().isDevMode() with null guard as you
suggested. PR description updated to reflect WARN-level logging under devMode.
Issue Time Tracking
-------------------
Worklog Id: (was: 1025123)
Time Spent: 20m (was: 10m)
> TokenHelper.validToken() includes session token in WARN log output
> ------------------------------------------------------------------
>
> Key: WW-5635
> URL: https://issues.apache.org/jira/browse/WW-5635
> Project: Struts 2
> Issue Type: Improvement
> Reporter: Arun Manni
> Priority: Minor
> Fix For: 7.2.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> When TokenHelper.validToken() detects a CSRF token mismatch, the WARN-level
> log message includes the server-side session token in cleartext. Since the
> session token is only removed on a successful match, the logged value remains
> a live credential visible to anyone with log access.
> This change keeps the form token in the WARN message (with normalizeSpace
> sanitization) and logs full token detail only when devMode is enabled,
> consistent with how ParametersInterceptor handles user-supplied values
> elsewhere in the codebase.
> PR: https://github.com/apache/struts/pull/1738
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
