Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Try to remove secrets from http.debug. #8222

Merged
merged 1 commit into from
May 8, 2020
Merged

Try to remove secrets from http.debug. #8222

merged 1 commit into from
May 8, 2020

Conversation

ehuss
Copy link
Contributor

@ehuss ehuss commented May 8, 2020

This tries to remove some private data (such as tokens) from the http.debug output.

@rust-highfive
Copy link

r? @alexcrichton

(rust_highfive has picked a reviewer for you, use r? to override)

@rust-highfive rust-highfive added the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label May 8, 2020
@alexcrichton
Copy link
Member

@bors: r+

@bors
Copy link
Contributor

bors commented May 8, 2020

📌 Commit b3616c0 has been approved by alexcrichton

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels May 8, 2020
@bors
Copy link
Contributor

bors commented May 8, 2020

⌛ Testing commit b3616c0 with merge 911f0b9...

@bors
Copy link
Contributor

bors commented May 8, 2020

☀️ Test successful - checks-azure
Approved by: alexcrichton
Pushing 911f0b9 to master...

@bors bors merged commit 911f0b9 into rust-lang:master May 8, 2020
@ehuss ehuss added this to the 1.45.0 milestone Feb 6, 2022
@ehuss ehuss mentioned this pull request May 6, 2023
Merged
bors added a commit that referenced this pull request May 6, 2023
@bors
Auto merge of #12095 - ehuss:fix-token-redact, r=weihanglo
27a41d6 
Fix redacting tokens in http debug.

Unfortunately it seems like #8222 didn't properly redact tokens when connecting to an http2 server. There were multiple problems:

* For some reason, curl changes the authorization header to be lowercase when using http2.
* Curl also logs the h2h3 lines separately with a different syntax.

This fixes it by checking for these additional cases.

This also adds a test, but it doesn't actually detect this problem because we don't have an http2 server handy. You can test this yourself by running `CARGO_LOG=trace CARGO_HTTP_DEBUG=true cargo publish --token a-unique-token --allow-dirty --no-verify`, and verifying the output does not contain the given token text.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@alexcrichton alexcrichton

Labels
S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion.
Projects
None yet
Milestone
1.45.0
Development

Successfully merging this pull request may close these issues.
4 participants
@ehuss @rust-highfive @alexcrichton @bors