Skip to content

Try to remove secrets from http.debug.#8222

Merged
bors merged 1 commit intorust-lang:masterfrom
ehuss:redact-http-debug
May 8, 2020
Merged

Try to remove secrets from http.debug.#8222
bors merged 1 commit intorust-lang:masterfrom
ehuss:redact-http-debug

Conversation

@ehuss
Copy link
Contributor

@ehuss ehuss commented May 8, 2020

This tries to remove some private data (such as tokens) from the http.debug output.

@rust-highfive
Copy link

rust-highfive commented May 8, 2020

r? @alexcrichton

(rust_highfive has picked a reviewer for you, use r? to override)

@rust-highfive rust-highfive added the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label May 8, 2020
@alexcrichton
Copy link
Member

alexcrichton commented May 8, 2020

@bors: r+

@bors
Copy link
Contributor

bors commented May 8, 2020

📌 Commit b3616c0 has been approved by alexcrichton

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels May 8, 2020
@bors
Copy link
Contributor

bors commented May 8, 2020

⌛ Testing commit b3616c0 with merge 911f0b9...

@bors
Copy link
Contributor

bors commented May 8, 2020

☀️ Test successful - checks-azure
Approved by: alexcrichton
Pushing 911f0b9 to master...

@bors bors merged commit 911f0b9 into rust-lang:master May 8, 2020
@ehuss ehuss added this to the 1.45.0 milestone Feb 6, 2022
@ehuss ehuss mentioned this pull request May 6, 2023
Merged
bors added a commit that referenced this pull request May 6, 2023
@bors
Auto merge of #12095 - ehuss:fix-token-redact, r=weihanglo
27a41d6 
Fix redacting tokens in http debug.

Unfortunately it seems like #8222 didn't properly redact tokens when connecting to an http2 server. There were multiple problems:

* For some reason, curl changes the authorization header to be lowercase when using http2.
* Curl also logs the h2h3 lines separately with a different syntax.

This fixes it by checking for these additional cases.

This also adds a test, but it doesn't actually detect this problem because we don't have an http2 server handy. You can test this yourself by running `CARGO_LOG=trace CARGO_HTTP_DEBUG=true cargo publish --token a-unique-token --allow-dirty --no-verify`, and verifying the output does not contain the given token text.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@alexcrichton alexcrichton

Labels

S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion.

Projects

None yet

Milestone

1.45.0

Development

Successfully merging this pull request may close these issues.

4 participants

@ehuss @rust-highfive @alexcrichton @bors