Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ResourceAccessException message could leak sensitive information [SPR-13860] #18433

Closed
spring-projects-issues opened this issue Jan 12, 2016 · 1 comment
Assignees
Labels
in: web type: enhancement
Milestone

Comments

@spring-projects-issues
Copy link
Collaborator

@spring-projects-issues spring-projects-issues commented Jan 12, 2016

Joerg Bellmann opened SPR-13860 and commented

When a ResourceAccessException is thrown by an IOException( SocketTimeoutException in our case) the message shows the full URI requested. And that message most often will be logged somewhere (also external log provider). This 'feature' was introduced with #13963.

We use RestTemplate also for requesting 'OAuth-AccessToken-Info'. In case of an IOException also the parameters are logged. Simple example url could be:

https://www.googleapis.com/oauth2/v1/tokeninfo?access_token={accessToken}

Now 'access_token'-parameter with value appears in the log-message. In general showing the requested url is a good idea. So maybe just strip the parameters for the log-message.


Affects: 4.2.4

Issue Links:

  • #13963 Add more details in ResourceAccessException message thrown by doExecute method of RestTemplate

Referenced from: commits f3c2bb6

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Jan 14, 2016

Rossen Stoyanchev commented

The resource URL now excludes the query string.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: web type: enhancement
Projects
None yet
Development

No branches or pull requests

2 participants