[tahoe-lafs-trac-stream] [tahoe-lafs] #1904: filenames leak into log files from rename (and other web-API operations that take filenames)

Mon May 13 01:02:49 UTC 2013

#1904: filenames leak into log files from rename (and other web-API operations
that take filenames)
-----------------------------------+----------------------------------
     Reporter:  zooko              |      Owner:
         Type:  defect             |     Status:  new
     Priority:  major              |  Milestone:  undecided
    Component:  code-frontend-web  |    Version:  1.9.2
   Resolution:                     |   Keywords:  privacy logging easy
Launchpad Bug:                     |
-----------------------------------+----------------------------------

Old description:

> I just saw something I didn't want to see in someone else's log file:
>
> {{{
> 22:29:43.173 [196712]: web: 127.0.0.1 GET /uri/[CENSORED]..?t=rename-
> form&name=me+just+before+I+shot+JFK&when_done=.&rename=rename 200 1111
> }}}
>
> Dammit! Now I know who shot JFK. I didn't want to know that.
>
> This ticket could become more important to https://LeastAuthority.com in
> the future, as we intend to make it very easy for our customers to opt-in
> to having their incident report files sent automatically to our log
> gatherer. I would like to see this ticket fixed ASAP so that in the
> future our customers will have a fixed version of Tahoe-LAFS installed...
>
> If you like this ticket, you may also like: #562, #563, #685, and #1008.

New description:

 I just saw something I didn't want to see in someone else's log file:

 {{{
 22:29:43.173 [196712]: web: 127.0.0.1 GET /uri/[CENSORED]..?t=rename-
 form&name=me+just+before+I+shot+JFK&when_done=.&rename=rename 200 1111
 }}}

 Dammit! Now I know who shot JFK. I didn't want to know that.

 This ticket could become more important to https://LeastAuthority.com in
 the future, as we intend to make it very easy for our customers to opt-in
 to having their incident report files sent automatically to our log
 gatherer. I would like to see this ticket fixed ASAP so that in the future
 our customers will have a fixed version of Tahoe-LAFS installed...

 If you like this ticket, you may also like: #562, #563, #685, and #1008.

--

Comment (by daira):

 From the duplicate #385 of a particular case ("webapi download with
 {{{?filename=}}} should not log filename"):
 > I noticed today that our log-sanitizing is failing to remove the
 filenames specified as query arguments from the web hits that we log. This
 is closely related to #221 (give proper filenames on download). I think
 that if we make the download links use a filename as the last component of
 the URL (rather than in a query arg), then that will resolve this issue
 easily.

-- 
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1904#comment:4>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage