[
https://issues.apache.org/jira/browse/WW-5635?focusedWorklogId=1025124&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1025124
]
ASF GitHub Bot logged work on WW-5635:
--------------------------------------
Author: ASF GitHub Bot
Created on: 14/Jun/26 17:08
Start Date: 14/Jun/26 17:08
Worklog Time Spent: 10m
Work Description: lukaszlenart merged PR #1738:
URL: https://github.com/apache/struts/pull/1738
Issue Time Tracking
-------------------
Worklog Id: (was: 1025124)
Time Spent: 0.5h (was: 20m)
> TokenHelper.validToken() includes session token in WARN log output
> ------------------------------------------------------------------
>
> Key: WW-5635
> URL: https://issues.apache.org/jira/browse/WW-5635
> Project: Struts 2
> Issue Type: Improvement
> Reporter: Arun Manni
> Priority: Minor
> Fix For: 7.2.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> When TokenHelper.validToken() detects a CSRF token mismatch, the WARN-level
> log message includes the server-side session token in cleartext. Since the
> session token is only removed on a successful match, the logged value remains
> a live credential visible to anyone with log access.
> This change keeps the form token in the WARN message (with normalizeSpace
> sanitization) and logs full token detail only when devMode is enabled,
> consistent with how ParametersInterceptor handles user-supplied values
> elsewhere in the codebase.
> PR: https://github.com/apache/struts/pull/1738
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
