Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hide homeserver token from aiohttp logs #351

Closed
pacien opened this issue Aug 5, 2019 · 3 comments
Closed

Hide homeserver token from aiohttp logs #351

pacien opened this issue Aug 5, 2019 · 3 comments
Labels
enhancement New feature or improvement external This issue is valid, but needs to be fixed somewhere else (e.g. a library)

Comments

@pacien
Copy link
Contributor

pacien commented Aug 5, 2019

By default, the aiohttp logger is set to the INFO level, which causes all HTTP requests to be logged with the appservice's token in them. This might be a security issue.

For reference, Synapse redacts all tokens when logging requests.
@tulir tulir changed the title Appservice token leaked in the logs Hide homeserver token from aiohttp logs Aug 6, 2019
@tulir tulir added the enhancement New feature or improvement label Aug 6, 2019
@tulir
Copy link
Member

tulir commented Aug 6, 2019

Related to #321

@tulir tulir added this to the soon™ milestone Aug 6, 2019
@pacien
Copy link
Contributor Author

pacien commented Aug 6, 2019

An easy workaround could be to set this logger's level to WARNING by default instead.

https://github.com/tulir/mautrix-telegram/blob/281f7203dc6eec8be9e6489a8bf29ad7e850f07d/example-config.yaml#L345-L346

@tulir tulir modified the milestones: 0.8.0, 0.9.0 Apr 25, 2020
@tulir tulir modified the milestones: 0.9.0, soon™ Aug 3, 2020
@tulir
Copy link
Member

tulir commented Nov 17, 2020

This should be fixed on the server side (matrix-org/matrix-spec-proposals#2832)

@tulir tulir removed this from the 0.10.0 milestone Nov 17, 2020
@tulir tulir added the external This issue is valid, but needs to be fixed somewhere else (e.g. a library) label Dec 25, 2021
@tulir tulir closed this as not planned Won't fix, can't repro, duplicate, stale Jan 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or improvement external This issue is valid, but needs to be fixed somewhere else (e.g. a library)
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pacien @tulir