You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Julian Sedding (JIRA)" <ji...@apache.org> on 2017/02/01 16:45:51 UTC
[jira] [Commented] (HTTPCLIENT-1811) Security : Authorization
header should not be printed in debug log
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15848608#comment-15848608 ]
Julian Sedding commented on HTTPCLIENT-1811:
--------------------------------------------
I'm against swallowing the header value, as that can be highly misleading when debugging an issue. If we keep the log but only obfuscate the value (and indicate that it is obfuscated!), that would be fine for me. Keeping the obfuscated value stable, so it can be grepped etc would also be helpful. Maybe shortening the value or hashing it would work?
> Security : Authorization header should not be printed in debug log
> -------------------------------------------------------------------
>
> Key: HTTPCLIENT-1811
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1811
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (async)
> Reporter: Sujitha Chinnathambi
> Attachments: httpclient.patch
>
>
> Current behaviour : When https call is made with basic authentication with debug mode, authorization information which is transfered part of 'Authorization' header is getting printed in log in below artifact
> <groupId>org.apache.httpcomponents</groupId>
> <artifactId>httpclient</artifactId>
> <version>4.3.6</version>
> Example :
> org.apache.http.wire - [] >> "Authorization: Basic VEVTVCBLSCAwMS9TQ0hVTFVORzpzY2h1bHVuZw==[\r][\n]"
> org.apache.http.headers - [] >> Authorization: Basic VEVTVCBLSCAwMS9TQ0hVTFVORzpzY2h1bHVuZw==
> Expected behaiour:
> Though log level is debug, authorization information should not be printed in log.
> Attached httpclient.patch as proposal.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org