Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Disable logging by default

Summary:
Logging was turned on unconditionally before, which led to apps leaking
sensitive data.  This change puts the logging api behind an explicit gate that
developers have to turn on.

It's unfortunate that this isn't automatic - ideally this would automatically
turn on for non-release signed bits.  I couldn't find such a check in Android
framework.  If android experts have better ways of tackling this, i'm all ears.
But bear in mind this is a security fix and needs to go out asap.

Test Plan: Launched in default mode and verified no logging in emulator.
Turned on log gate and verified logging.

Reviewers: mmarucheck, lshepard, yariv, raghuc1

Reviewed By: mmarucheck

CC: gregschechte, jacl

Differential Revision: https://phabricator.fb.com/D411377

Task ID: 933141
  • Loading branch information...
commit 1f0b0ea433e8db567a495ebe8f9b6019a7563384 1 parent fc4785c
@vijaye vijaye authored
View
21 facebook/src/com/facebook/android/Facebook.java
@@ -39,7 +39,6 @@
import android.os.Messenger;
import android.os.RemoteException;
import android.text.TextUtils;
-import android.util.Log;
import android.webkit.CookieSyncManager;
/**
@@ -349,7 +348,7 @@ public void onComplete(Bundle values) {
setAccessToken(values.getString(TOKEN));
setAccessExpiresIn(values.getString(EXPIRES));
if (isSessionValid()) {
- Log.d("Facebook-authorize", "Login Success! access_token="
+ Util.logd("Facebook-authorize", "Login Success! access_token="
+ getAccessToken() + " expires="
+ getAccessExpires());
mAuthDialogListener.onComplete(values);
@@ -360,17 +359,17 @@ public void onComplete(Bundle values) {
}
public void onError(DialogError error) {
- Log.d("Facebook-authorize", "Login failed: " + error);
+ Util.logd("Facebook-authorize", "Login failed: " + error);
mAuthDialogListener.onError(error);
}
public void onFacebookError(FacebookError error) {
- Log.d("Facebook-authorize", "Login failed: " + error);
+ Util.logd("Facebook-authorize", "Login failed: " + error);
mAuthDialogListener.onFacebookError(error);
}
public void onCancel() {
- Log.d("Facebook-authorize", "Login canceled");
+ Util.logd("Facebook-authorize", "Login canceled");
mAuthDialogListener.onCancel();
}
});
@@ -405,19 +404,19 @@ public void authorizeCallback(int requestCode, int resultCode, Intent data) {
if (error != null) {
if (error.equals(SINGLE_SIGN_ON_DISABLED)
|| error.equals("AndroidAuthKillSwitchException")) {
- Log.d("Facebook-authorize", "Hosted auth currently "
+ Util.logd("Facebook-authorize", "Hosted auth currently "
+ "disabled. Retrying dialog auth...");
startDialogAuth(mAuthActivity, mAuthPermissions);
} else if (error.equals("access_denied")
|| error.equals("OAuthAccessDeniedException")) {
- Log.d("Facebook-authorize", "Login canceled by user.");
+ Util.logd("Facebook-authorize", "Login canceled by user.");
mAuthDialogListener.onCancel();
} else {
String description = data.getStringExtra("error_description");
if (description != null) {
error = error + ":" + description;
}
- Log.d("Facebook-authorize", "Login failed: " + error);
+ Util.logd("Facebook-authorize", "Login failed: " + error);
mAuthDialogListener.onFacebookError(
new FacebookError(error));
}
@@ -427,7 +426,7 @@ public void authorizeCallback(int requestCode, int resultCode, Intent data) {
setAccessToken(data.getStringExtra(TOKEN));
setAccessExpiresIn(data.getStringExtra(EXPIRES));
if (isSessionValid()) {
- Log.d("Facebook-authorize",
+ Util.logd("Facebook-authorize",
"Login Success! access_token="
+ getAccessToken() + " expires="
+ getAccessExpires());
@@ -443,7 +442,7 @@ public void authorizeCallback(int requestCode, int resultCode, Intent data) {
// An Android error occured.
if (data != null) {
- Log.d("Facebook-authorize",
+ Util.logd("Facebook-authorize",
"Login failed: " + data.getStringExtra("error"));
mAuthDialogListener.onError(
new DialogError(
@@ -453,7 +452,7 @@ public void authorizeCallback(int requestCode, int resultCode, Intent data) {
// User pressed the 'back' button.
} else {
- Log.d("Facebook-authorize", "Login canceled by user.");
+ Util.logd("Facebook-authorize", "Login canceled by user.");
mAuthDialogListener.onCancel();
}
}
View
4 facebook/src/com/facebook/android/FbDialog.java
@@ -131,7 +131,7 @@ private void setUpWebView(int margin) {
@Override
public boolean shouldOverrideUrlLoading(WebView view, String url) {
- Log.d("Facebook-WebView", "Redirect URL: " + url);
+ Util.logd("Facebook-WebView", "Redirect URL: " + url);
if (url.startsWith(Facebook.REDIRECT_URI)) {
Bundle values = Util.parseUrl(url);
@@ -175,7 +175,7 @@ public void onReceivedError(WebView view, int errorCode,
@Override
public void onPageStarted(WebView view, String url, Bitmap favicon) {
- Log.d("Facebook-WebView", "Webview loading URL: " + url);
+ Util.logd("Facebook-WebView", "Webview loading URL: " + url);
super.onPageStarted(view, url, favicon);
mSpinner.show();
}
View
21 facebook/src/com/facebook/android/Util.java
@@ -48,6 +48,12 @@
public final class Util {
/**
+ * Set this to true to enable log output. Remember to turn this back off
+ * before releasing. Sending sensitive data to log is a security risk.
+ */
+ private static boolean ENABLE_LOG = false;
+
+ /**
* Generate the multi-part post body providing the parameters and boundary
* string
*
@@ -144,7 +150,7 @@ public static String openUrl(String url, String method, Bundle params)
if (method.equals("GET")) {
url = url + "?" + encodeUrl(params);
}
- Log.d("Facebook-Util", method + " URL: " + url);
+ Util.logd("Facebook-Util", method + " URL: " + url);
HttpURLConnection conn =
(HttpURLConnection) new URL(url).openConnection();
conn.setRequestProperty("User-Agent", System.getProperties().
@@ -298,4 +304,17 @@ public static void showAlert(Context context, String title, String text) {
alertBuilder.create().show();
}
+ /**
+ * A proxy for Log.d api that kills log messages in release build. It
+ * not recommended to send sensitive information to log output in
+ * shipping apps.
+ *
+ * @param tag
+ * @param msg
+ */
+ public static void logd(String tag, String msg) {
+ if (ENABLE_LOG) {
+ Log.d(tag, msg);
+ }
+ }
}
Please sign in to comment.
Something went wrong with that request. Please try again.