Opened 17 months ago

Closed 15 months ago

Last modified 15 months ago

#21756 closed defect (fixed)

Don't log oauth secrets

Reported by: Woazboat Owned by: team
Priority: normal Milestone: 22.03
Component: Core Version:
Keywords: oauth, token, secret, information disclosure Cc:


Build-Date:1970-01-14 18:11:14

Identification: JOSM/1.5 (18303 Debian en_GB) Linux Debian GNU/Linux bookworm/sid
Memory Usage: 407 MB / 3982 MB (212 MB allocated, but free)
Java version: 12.0.2+9-Debian-1, Debian, OpenJDK 64-Bit Server VM
Look and Feel: javax.swing.plaf.metal.MetalLookAndFeel
Screen: :0.0 1920×1080 (scaling 1.00×1.00) :0.1 1920×1080 (scaling 1.00×1.00) :0.2 1920×1080 (scaling 1.00×1.00)
Maximum Screen Size: 1920×1080
Best cursor sizes: 16×16→16×16, 32×32→32×32
Environment variable LANG: en_AT.UTF-8
System property file.encoding: ANSI_X3.4-1968
System property sun.jnu.encoding: ANSI_X3.4-1968
Locale info: en_GB
Numbers with default locale: 1234567890 -> 1234567890
Desktop environment: KDE
Java ATK Wrapper package: libatk-wrapper-java:all-0.38.0-5
libcommons-compress-java: libcommons-compress-java:all-1.21-1
libcommons-logging-java: libcommons-logging-java:all-1.2-2
fonts-noto: fonts-noto:all-20201225-1
liboauth-signpost-java: liboauth-signpost-java:all-
VM arguments: [--module-path=/usr/share/openjfx/lib, --add-modules=java.scripting,java.sql,javafx.controls,,javafx.swing,javafx.web, -Djosm.restart=true,, --add-exports=java.base/, --add-exports=java.desktop/com.sun.imageio.plugins.jpeg=ALL-UNNAMED, --add-exports=java.desktop/com.sun.imageio.spi=ALL-UNNAMED]
Program arguments: [--debug]

When setting up oauth login, the token is logged as part of the query parameter:

2022-01-09 00:35:07.619 INFO: GET -> HTTP/1.1 200 (905 ms; 124 B)
2022-01-09 00:35:08.953 INFO: GET -> HTTP/1.1 200 (924 ms; 5.01 kB)
2022-01-09 00:35:08.965 INFO: POST (182 B) ...
2022-01-09 00:35:09.565 INFO: POST -> HTTP/1.1 302 (599 ms)
2022-01-09 00:35:09.877 INFO: GET<removed> -> HTTP/1.1 200 (312 ms; 4.17 kB)
2022-01-09 00:35:09.923 INFO: POST (318 B) ...
2022-01-09 00:35:10.281 INFO: POST -> HTTP/1.1 200 (357 ms; 3.55 kB)
2022-01-09 00:35:11.204 INFO: GET -> HTTP/1.1 200 (923 ms; 3.70 kB)
2022-01-09 00:35:12.124 INFO: GET -> HTTP/1.1 401 (918 ms)

With the --debug command line option, the token is also logged as part of the Authorization header:

2022-01-09 15:15:21.590 FINE: Reading user info ...
2022-01-09 15:15:21.591 FINE: Contacting Server...
2022-01-09 15:15:21.591 FINE: REQUEST HEADERS: {Accept=application/xml, */*;q=0.8, Accept-Encoding=gzip, deflate, Authorization=OAuth oauth_consumer_key="<removed>", oauth_nonce="<removed>", oauth_signature="<removed>", oauth_signature_method="HMAC-SHA1", oauth_timestamp="<removed>", oauth_token="<removed>", oauth_version="1.0"}
2022-01-09 15:15:21.595 INFO: Changeset updater active (checks every 60 minutes if open changesets have been closed)
2022-01-09 15:15:21.586 INFO: RemoteControl::Accepting remote connections on /0:0:0:0:0:0:0:1:8111
2022-01-09 15:15:21.769 INFO: GET (get number of unread messages) -> HTTP/1.1 200 (177 ms; 403 B)

Attachments (0)

Change History (4)

comment:1 Changed 17 months ago by Woazboat

Including secrets in log messages makes it easy for users to inadvertently disclose them when e.g. posting log output as part of bug reports.

(This report was triggered by someone doing just that because they were having trouble with the oauth login)

comment:2 Changed 15 months ago by taylor.smock

Note: We need to do the same thing when exporting preferences. We already do this with the password.

comment:3 Changed 15 months ago by stoecker

Resolution: fixed
Status: newclosed

In 18407/josm:

fix #21756 - strip typical privacy relevant parameters from URL output

comment:4 Changed 15 months ago by stoecker

Milestone: 22.03

Debug output is another topic. Whoever enables debug output should be aware that posting this is dangerous for privacy for multiple reasons. That's true for any software, so I don't see a need to provide a feeling for false security here.

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain team.
as The resolution will be set.
The resolution will be deleted.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.