filenames leak into log files from rename (and other web-API operations that take filenames)

[zooko]

I just saw something I didn't want to see in someone else's log file:

22:29:43.173 [196712]: web: 127.0.0.1 GET /uri/[CENSORED]..?t=rename-form&name=me+just+before+I+shot+JFK&when_done=.&rename=rename 200 1111

Dammit! Now I know who shot JFK. I didn't want to know that.

This ticket could become more important to ​https://LeastAuthority.com in the future, as we intend to make it very easy for our customers to opt-in to having their incident report files sent automatically to our log gatherer. I would like to see this ticket fixed ASAP so that in the future our customers will have a fixed version of Tahoe-LAFS installed...

If you like this ticket, you may also like: #562, #563, #685, and #1008.

[daira]

Note that many web-API operations take filenames. Removing 'confidentiality' from keywords since this does not leak file contents, which is how that keyword is defined.

[daira]

From the duplicate #385 of a particular case ("webapi download with ?filename= should not log filename"):

I noticed today that our log-sanitizing is failing to remove the filenames specified as query arguments from the web hits that we log. This is closely related to #221 (give proper filenames on download). I think that if we make the download links use a filename as the last component of the URL (rather than in a query arg), then that will resolve this issue easily.