Hide homeserver token from aiohttp logs #351

pacien · 2019-08-05T13:17:15Z

By default, the aiohttp logger is set to the INFO level, which causes all HTTP requests to be logged with the appservice's token in them. This might be a security issue.

For reference, Synapse redacts all tokens when logging requests.

tulir · 2019-08-06T10:59:57Z

Related to #321

pacien · 2019-08-06T11:47:08Z

An easy workaround could be to set this logger's level to WARNING by default instead.

https://github.com/tulir/mautrix-telegram/blob/281f7203dc6eec8be9e6489a8bf29ad7e850f07d/example-config.yaml#L345-L346

tulir · 2020-11-17T16:27:16Z

This should be fixed on the server side (matrix-org/matrix-spec-proposals#2832)

tulir changed the title ~~Appservice token leaked in the logs~~ Hide homeserver token from aiohttp logs Aug 6, 2019

tulir added the enhancement New feature or improvement label Aug 6, 2019

tulir added this to the soon™ milestone Aug 6, 2019

tulir modified the milestones: 0.8.0, 0.9.0 Apr 25, 2020

tulir modified the milestones: 0.9.0, soon™ Aug 3, 2020

tulir removed this from the 0.10.0 milestone Nov 17, 2020

tulir added the external This issue is valid, but needs to be fixed somewhere else (e.g. a library) label Dec 25, 2021

tulir closed this as not planned Won't fix, can't repro, duplicate, stale Jan 14, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Hide homeserver token from aiohttp logs #351

Hide homeserver token from aiohttp logs #351

pacien commented Aug 5, 2019

tulir commented Aug 6, 2019

pacien commented Aug 6, 2019

tulir commented Nov 17, 2020

Hide homeserver token from aiohttp logs #351

Hide homeserver token from aiohttp logs #351

Comments

pacien commented Aug 5, 2019

tulir commented Aug 6, 2019

pacien commented Aug 6, 2019

tulir commented Nov 17, 2020