Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix redacting tokens in http debug. #12095

Merged
merged 1 commit into from
May 7, 2023
Merged

Fix redacting tokens in http debug. #12095

merged 1 commit into from
May 7, 2023

Conversation

ehuss
Copy link
Contributor

@ehuss ehuss commented May 6, 2023

Unfortunately it seems like #8222 didn't properly redact tokens when connecting to an http2 server. There were multiple problems:

  • For some reason, curl changes the authorization header to be lowercase when using http2.
  • Curl also logs the h2h3 lines separately with a different syntax.

This fixes it by checking for these additional cases.

This also adds a test, but it doesn't actually detect this problem because we don't have an http2 server handy. You can test this yourself by running CARGO_LOG=trace CARGO_HTTP_DEBUG=true cargo publish --token a-unique-token --allow-dirty --no-verify, and verifying the output does not contain the given token text.

@rustbot
Copy link
Collaborator

rustbot commented May 6, 2023

r? @weihanglo

(rustbot has picked a reviewer for you, use r? to override)

@rustbot rustbot added A-interacts-with-crates.io Area: interaction with registries S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels May 6, 2023
weihanglo
weihanglo approved these changes May 6, 2023
View reviewed changes
Copy link
Member

@weihanglo weihanglo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested and it seems to match the behavior well. Thank you!

@weihanglo
Copy link
Member

@bors r+

@bors
Copy link
Contributor

bors commented May 6, 2023

📌 Commit d6c20cf has been approved by weihanglo

It is now in the queue for this repository.

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels May 6, 2023
@bors
Copy link
Contributor

bors commented May 6, 2023

⌛ Testing commit d6c20cf with merge 27a41d6...

@bors
Copy link
Contributor

bors commented May 7, 2023

☀️ Test successful - checks-actions
Approved by: weihanglo
Pushing 27a41d6 to master...

@bors bors merged commit 27a41d6 into rust-lang:master May 7, 2023
@weihanglo weihanglo mentioned this pull request May 9, 2023
Merged
bors added a commit to rust-lang-ci/rust that referenced this pull request May 10, 2023
@bors
Auto merge of rust-lang#111409 - weihanglo:update-cargo, r=weihanglo
65dfca8 
Update cargo

10 commits in 569b648b5831ae8a515e90c80843a5287c3304ef..26b73d15a68fb94579f6d3590585ec0e9d81d3d5
2023-05-05 15:49:44 +0000 to 2023-05-09 20:28:03 +0000
- Update the semver-check script to be able to run in any directory. (rust-lang/cargo#12117)
- Semver: Note that it is not a breaking change to make an unsafe function safe (rust-lang/cargo#12116)
- Add more documentation for artifact-dependencies. (rust-lang/cargo#12110)
- changelog: move registry query fixes to the right place (rust-lang/cargo#12086)
- Disallow RUSTUP_TOOLCHAIN in the [env] table. (rust-lang/cargo#12107)
- Disallow RUSTUP_HOME in the [env] table. (rust-lang/cargo#12101)
- Fix redacting tokens in http debug. (rust-lang/cargo#12095)
- Fix self_signed_should_fail for macOS. (rust-lang/cargo#12097)
- Update git2 (rust-lang/cargo#12096)
- do not try an exponential number of package names (rust-lang/cargo#12083)

r? `@ghost`
RalfJung pushed a commit to RalfJung/miri that referenced this pull request May 10, 2023
@bors
Auto merge of #111409 - weihanglo:update-cargo, r=weihanglo
e687794 
Update cargo

10 commits in 569b648b5831ae8a515e90c80843a5287c3304ef..26b73d15a68fb94579f6d3590585ec0e9d81d3d5
2023-05-05 15:49:44 +0000 to 2023-05-09 20:28:03 +0000
- Update the semver-check script to be able to run in any directory. (rust-lang/cargo#12117)
- Semver: Note that it is not a breaking change to make an unsafe function safe (rust-lang/cargo#12116)
- Add more documentation for artifact-dependencies. (rust-lang/cargo#12110)
- changelog: move registry query fixes to the right place (rust-lang/cargo#12086)
- Disallow RUSTUP_TOOLCHAIN in the [env] table. (rust-lang/cargo#12107)
- Disallow RUSTUP_HOME in the [env] table. (rust-lang/cargo#12101)
- Fix redacting tokens in http debug. (rust-lang/cargo#12095)
- Fix self_signed_should_fail for macOS. (rust-lang/cargo#12097)
- Update git2 (rust-lang/cargo#12096)
- do not try an exponential number of package names (rust-lang/cargo#12083)

r? `@ghost`
@ehuss ehuss added this to the 1.71.0 milestone May 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@weihanglo weihanglo weihanglo approved these changes

Assignees

@weihanglo weihanglo

Labels
A-interacts-with-crates.io Area: interaction with registries S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion.
Projects
None yet
Milestone
1.71.0
Development

Successfully merging this pull request may close these issues.
4 participants
@ehuss @rustbot @weihanglo @bors