Don't log oauth secrets

[Woazboat]

Revision:18303
Is-Local-Build:false
Build-Date:1970-01-14 18:11:14
Debian-Release:0.0.svn18303+dfsg-2
Build-Name:Debian

Identification: JOSM/1.5 (18303 Debian en_GB) Linux Debian GNU/Linux bookworm/sid
Memory Usage: 407 MB / 3982 MB (212 MB allocated, but free)
Java version: 12.0.2+9-Debian-1, Debian, OpenJDK 64-Bit Server VM
Look and Feel: javax.swing.plaf.metal.MetalLookAndFeel
Screen: :0.0 1920×1080 (scaling 1.00×1.00) :0.1 1920×1080 (scaling 1.00×1.00) :0.2 1920×1080 (scaling 1.00×1.00)
Maximum Screen Size: 1920×1080
Best cursor sizes: 16×16→16×16, 32×32→32×32
Environment variable LANG: en_AT.UTF-8
System property file.encoding: ANSI_X3.4-1968
System property sun.jnu.encoding: ANSI_X3.4-1968
Locale info: en_GB
Numbers with default locale: 1234567890 -> 1234567890
Desktop environment: KDE
Java ATK Wrapper package: libatk-wrapper-java:all-0.38.0-5
libcommons-compress-java: libcommons-compress-java:all-1.21-1
libcommons-logging-java: libcommons-logging-java:all-1.2-2
fonts-noto: fonts-noto:all-20201225-1
liboauth-signpost-java: liboauth-signpost-java:all-1.2.1.2-3
VM arguments: [--module-path=/usr/share/openjfx/lib, --add-modules=java.scripting,java.sql,javafx.controls,javafx.media,javafx.swing,javafx.web, -Djosm.restart=true, -Djava.net.useSystemProxies=true, --add-exports=java.base/sun.security.action=ALL-UNNAMED, --add-exports=java.desktop/com.sun.imageio.plugins.jpeg=ALL-UNNAMED, --add-exports=java.desktop/com.sun.imageio.spi=ALL-UNNAMED]
Program arguments: [--debug]

When setting up oauth login, the token is logged as part of the query parameter:

2022-01-09 00:35:07.619 INFO: GET https://www.openstreetmap.org/oauth/request_token -> HTTP/1.1 200 (905 ms; 124 B)
2022-01-09 00:35:08.953 INFO: GET https://www.openstreetmap.org/login?cookie_test=true -> HTTP/1.1 200 (924 ms; 5.01 kB)
2022-01-09 00:35:08.965 INFO: POST https://www.openstreetmap.org/login (182 B) ...
2022-01-09 00:35:09.565 INFO: POST https://www.openstreetmap.org/login -> HTTP/1.1 302 (599 ms)
2022-01-09 00:35:09.877 INFO: GET https://www.openstreetmap.org/oauth/authorize?oauth_token=<removed> -> HTTP/1.1 200 (312 ms; 4.17 kB)
2022-01-09 00:35:09.923 INFO: POST https://www.openstreetmap.org/oauth/authorize (318 B) ...
2022-01-09 00:35:10.281 INFO: POST https://www.openstreetmap.org/oauth/authorize -> HTTP/1.1 200 (357 ms; 3.55 kB)
2022-01-09 00:35:11.204 INFO: GET https://www.openstreetmap.org/logout -> HTTP/1.1 200 (923 ms; 3.70 kB)
2022-01-09 00:35:12.124 INFO: GET https://www.openstreetmap.org/oauth/access_token -> HTTP/1.1 401 (918 ms)

With the --debug command line option, the token is also logged as part of the Authorization header:

2022-01-09 15:15:21.590 FINE: Reading user info ...
2022-01-09 15:15:21.591 FINE: Contacting Server...
2022-01-09 15:15:21.591 FINE: REQUEST HEADERS: {Accept=application/xml, */*;q=0.8, Accept-Encoding=gzip, deflate, Authorization=OAuth oauth_consumer_key="<removed>", oauth_nonce="<removed>", oauth_signature="<removed>", oauth_signature_method="HMAC-SHA1", oauth_timestamp="<removed>", oauth_token="<removed>", oauth_version="1.0"}
2022-01-09 15:15:21.595 INFO: Changeset updater active (checks every 60 minutes if open changesets have been closed)
2022-01-09 15:15:21.586 INFO: RemoteControl::Accepting remote connections on /0:0:0:0:0:0:0:1:8111
2022-01-09 15:15:21.769 INFO: GET https://api.openstreetmap.org/api/0.6/user/details (get number of unread messages) -> HTTP/1.1 200 (177 ms; 403 B)

[Woazboat]

Including secrets in log messages makes it easy for users to inadvertently disclose them when e.g. posting log output as part of bug reports.

(This report was triggered by someone doing just that because they were having trouble with the oauth login)

[taylor.smock]

Note: We need to do the same thing when exporting preferences. We already do this with the password.

[stoecker]

In 18407/josm:

fix #21756 - strip typical privacy relevant parameters from URL output

[stoecker]

Debug output is another topic. Whoever enables debug output should be aware that posting this is dangerous for privacy for multiple reasons. That's true for any software, so I don't see a need to provide a feeling for false security here.