You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by zw...@apache.org on 2021/11/09 21:21:18 UTC
[trafficserver] branch 9.2.x updated: ssl_secret debug printing:
print only the first 50 bytes (#8483)
This is an automated email from the ASF dual-hosted git repository.
zwoop pushed a commit to branch 9.2.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/9.2.x by this push:
new 47247c2 ssl_secret debug printing: print only the first 50 bytes (#8483)
47247c2 is described below
commit 47247c2acc2d54079bc14bc435c120fe41c10337
Author: Brian Neradt <br...@verizonmedia.com>
AuthorDate: Mon Nov 1 18:21:12 2021 -0500
ssl_secret debug printing: print only the first 50 bytes (#8483)
The TLS secrets are sensitive. Print only the first 50 bytes, even with
the debug tag for the print statements on.
(cherry picked from commit 335686b7f1b7e5ecbca948beb50c48c08822d308)
---
iocore/net/SSLSecret.cc | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/iocore/net/SSLSecret.cc b/iocore/net/SSLSecret.cc
index 3135d56..5abdab0 100644
--- a/iocore/net/SSLSecret.cc
+++ b/iocore/net/SSLSecret.cc
@@ -82,7 +82,9 @@ SSLSecret::setSecret(const std::string &name, const char *data, int data_len)
return false;
}
iter->second.assign(data, data_len);
- Debug("ssl_secret", "Set secret for %s to %.*s", name.c_str(), static_cast<int>(iter->second.size()), iter->second.data());
+ // The full secret data can be sensitive. Print only the first 50 bytes.
+ int const print_length = (iter->second.size() > 50) ? 50 : static_cast<int>(iter->second.size());
+ Debug("ssl_secret", "Set secret for %s to %.*s", name.c_str(), print_length, iter->second.data());
return true;
}
@@ -102,7 +104,9 @@ SSLSecret::getSecret(const std::string &name, std::string_view &data) const
{
const std::string *data_item = this->getSecretItem(name);
if (data_item) {
- Debug("ssl_secret", "Get secret for %s: %.*s", name.c_str(), static_cast<int>(data_item->length()), data_item->data());
+ // The full secret data can be sensitive. Print only the first 50 bytes.
+ int const print_length = (data_item->length() > 50) ? 50 : static_cast<int>(data_item->length());
+ Debug("ssl_secret", "Get secret for %s: %.*s", name.c_str(), print_length, data_item->data());
data = *data_item;
} else {
Debug("ssl_secret", "Get secret for %s: not found", name.c_str());