Do not log token or challenge with exception stacktrace (#25026)

* Make the filtering better readable * Add some more methods to the sensitive list
2026-05-28 04:32:30 -04:00 · 2016-06-08 16:32:58 +02:00 · 2016-06-08 16:32:58 +02:00 · e49307014c
commit e49307014c
parent 56215513e1
2 changed files with 30 additions and 4 deletions
--- a/lib/private/Log.php
+++ b/lib/private/Log.php
@ -60,6 +60,32 @@ class Log implements ILogger {
 	/** @var Normalizer */
 	private $normalizer;

+	protected $methodsWithSensitiveParameters = [
+		// Session/User
+		'login',
+		'checkPassword',
+		'updatePrivateKeyPassword',
+		'validateUserPass',
+
+		// TokenProvider
+		'getToken',
+		'isTokenPassword',
+		'getPassword',
+		'decryptPassword',
+		'logClientIn',
+		'generateToken',
+		'validateToken',
+
+		// TwoFactorAuth
+		'solveChallenge',
+		'verifyChallenge',
+
+		//ICrypto
+		'calculateHMAC',
+		'encrypt',
+		'decrypt',
+	];
+
 	/**
 	 * @param string $logger The logger that should be used
 	 * @param SystemConfig $config the system config object
@ -286,7 +312,7 @@ class Log implements ILogger {
 			'File' => $exception->getFile(),
 			'Line' => $exception->getLine(),
 		);
-		$exception['Trace'] = preg_replace('!(login|checkPassword|updatePrivateKeyPassword|validateUserPass)\(.*\)!', '$1(*** username and password replaced ***)', $exception['Trace']);
+		$exception['Trace'] = preg_replace('!(' . implode('|', $this->methodsWithSensitiveParameters) . ')\(.*\)!', '$1(*** sensitive parameters replaced ***)', $exception['Trace']);
 		$msg = isset($context['message']) ? $context['message'] : 'Exception';
 		$msg .= ': ' . json_encode($exception);
 		$this->error($msg, $context);
--- a/tests/lib/LoggerTest.php
+++ b/tests/lib/LoggerTest.php
@ -89,7 +89,7 @@ class LoggerTest extends TestCase {
 		foreach($logLines as $logLine) {
 			$this->assertNotContains($user, $logLine);
 			$this->assertNotContains($password, $logLine);
-			$this->assertContains('login(*** username and password replaced ***)', $logLine);
+			$this->assertContains('login(*** sensitive parameters replaced ***)', $logLine);
 		}
 	}

@ -104,7 +104,7 @@ class LoggerTest extends TestCase {
 		foreach($logLines as $logLine) {
 			$this->assertNotContains($user, $logLine);
 			$this->assertNotContains($password, $logLine);
-			$this->assertContains('checkPassword(*** username and password replaced ***)', $logLine);
+			$this->assertContains('checkPassword(*** sensitive parameters replaced ***)', $logLine);
 		}
 	}

@ -119,7 +119,7 @@ class LoggerTest extends TestCase {
 		foreach($logLines as $logLine) {
 			$this->assertNotContains($user, $logLine);
 			$this->assertNotContains($password, $logLine);
-			$this->assertContains('validateUserPass(*** username and password replaced ***)', $logLine);
+			$this->assertContains('validateUserPass(*** sensitive parameters replaced ***)', $logLine);
 		}
 	}
 }