hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Julian Sedding (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1811) Security : Authorization header should not be printed in debug log
Date Wed, 01 Feb 2017 16:45:51 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1811?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15848608#comment-15848608

Julian Sedding commented on HTTPCLIENT-1811:

I'm against swallowing the header value, as that can be highly misleading when debugging an
issue. If we keep the log but only obfuscate the value (and indicate that it is obfuscated!),
that would be fine for me. Keeping the obfuscated value stable, so it can be grepped etc would
also be helpful. Maybe shortening the value or hashing it would work?

> Security : Authorization header should not be printed in  debug log
> -------------------------------------------------------------------
>                 Key: HTTPCLIENT-1811
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1811
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (async)
>            Reporter: Sujitha Chinnathambi
>         Attachments: httpclient.patch
> Current behaviour : When https call is made with basic authentication  with  debug mode,
authorization information which is transfered part of 'Authorization' header is getting printed
in log in below artifact
>   <groupId>org.apache.httpcomponents</groupId>
>   <artifactId>httpclient</artifactId>
>   <version>4.3.6</version>
> Example : 
> org.apache.http.wire - []  >> "Authorization: Basic VEVTVCBLSCAwMS9TQ0hVTFVORzpzY2h1bHVuZw==[\r][\n]"
> org.apache.http.headers - [] >> Authorization: Basic VEVTVCBLSCAwMS9TQ0hVTFVORzpzY2h1bHVuZw==
> Expected behaiour: 
> Though log level is debug, authorization information should not be  printed in log.
> Attached httpclient.patch as proposal.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message