Opened at 2013-01-14T08:58:10Z
Last modified at 2013-05-13T01:02:49Z
#1904 new defect
filenames leak into log files from rename (and other web-API operations that take filenames) — at Version 4
Reported by: | zooko | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | undecided |
Component: | code-frontend-web | Version: | 1.9.2 |
Keywords: | privacy logging easy | Cc: | |
Launchpad Bug: |
Description (last modified by daira)
I just saw something I didn't want to see in someone else's log file:
22:29:43.173 [196712]: web: 127.0.0.1 GET /uri/[CENSORED]..?t=rename-form&name=me+just+before+I+shot+JFK&when_done=.&rename=rename 200 1111
Dammit! Now I know who shot JFK. I didn't want to know that.
This ticket could become more important to https://LeastAuthority.com in the future, as we intend to make it very easy for our customers to opt-in to having their incident report files sent automatically to our log gatherer. I would like to see this ticket fixed ASAP so that in the future our customers will have a fixed version of Tahoe-LAFS installed...
If you like this ticket, you may also like: #562, #563, #685, and #1008.
Change History (4)
comment:1 Changed at 2013-01-14T08:59:43Z by zooko
- Keywords easy added
comment:2 Changed at 2013-01-14T09:06:04Z by zooko
- Description modified (diff)
comment:3 Changed at 2013-04-22T23:36:34Z by daira
- Component changed from code-nodeadmin to code-frontend-web
- Keywords confidentiality removed
- Summary changed from filenames leak into log files from rename to filenames leak into log files from rename (and other web-API operations that take filenames)
comment:4 Changed at 2013-05-13T01:02:49Z by daira
- Description modified (diff)
From the duplicate #385 of a particular case ("webapi download with ?filename= should not log filename"):
I noticed today that our log-sanitizing is failing to remove the filenames specified as query arguments from the web hits that we log. This is closely related to #221 (give proper filenames on download). I think that if we make the download links use a filename as the last component of the URL (rather than in a query arg), then that will resolve this issue easily.
Note that many web-API operations take filenames. Removing 'confidentiality' from keywords since this does not leak file contents, which is how that keyword is defined.