#1904 new defect

filenames leak into log files from rename (and other web-API operations that take filenames)

Reported by: zooko Owned by:
Priority: major Milestone: undecided
Component: code-frontend-web Version: 1.9.2
Keywords: privacy logging easy Cc:
Launchpad Bug:

Description (last modified by daira)

I just saw something I didn't want to see in someone else's log file:

22:29:43.173 [196712]: web: GET /uri/[CENSORED]..?t=rename-form&name=me+just+before+I+shot+JFK&when_done=.&rename=rename 200 1111

Dammit! Now I know who shot JFK. I didn't want to know that.

This ticket could become more important to https://LeastAuthority.com in the future, as we intend to make it very easy for our customers to opt-in to having their incident report files sent automatically to our log gatherer. I would like to see this ticket fixed ASAP so that in the future our customers will have a fixed version of Tahoe-LAFS installed...

If you like this ticket, you may also like: #562, #563, #685, and #1008.

Change History (4)

comment:1 Changed at 2013-01-14T08:59:43Z by zooko

  • Keywords easy added

comment:2 Changed at 2013-01-14T09:06:04Z by zooko

  • Description modified (diff)

comment:3 Changed at 2013-04-22T23:36:34Z by daira

  • Component changed from code-nodeadmin to code-frontend-web
  • Keywords confidentiality removed
  • Summary changed from filenames leak into log files from rename to filenames leak into log files from rename (and other web-API operations that take filenames)

Note that many web-API operations take filenames. Removing 'confidentiality' from keywords since this does not leak file contents, which is how that keyword is defined.

comment:4 Changed at 2013-05-13T01:02:49Z by daira

  • Description modified (diff)

From the duplicate #385 of a particular case ("webapi download with ?filename= should not log filename"):

I noticed today that our log-sanitizing is failing to remove the filenames specified as query arguments from the web hits that we log. This is closely related to #221 (give proper filenames on download). I think that if we make the download links use a filename as the last component of the URL (rather than in a query arg), then that will resolve this issue easily.

Note: See TracTickets for help on using tickets.