id summary reporter owner description type status priority milestone component version resolution keywords cc 21756 Don't log oauth secrets Woazboat team "{{{ Revision:18303 Is-Local-Build:false Build-Date:1970-01-14 18:11:14 Debian-Release:0.0.svn18303+dfsg-2 Build-Name:Debian Identification: JOSM/1.5 (18303 Debian en_GB) Linux Debian GNU/Linux bookworm/sid Memory Usage: 407 MB / 3982 MB (212 MB allocated, but free) Java version: 12.0.2+9-Debian-1, Debian, OpenJDK 64-Bit Server VM Look and Feel: javax.swing.plaf.metal.MetalLookAndFeel Screen: :0.0 1920×1080 (scaling 1.00×1.00) :0.1 1920×1080 (scaling 1.00×1.00) :0.2 1920×1080 (scaling 1.00×1.00) Maximum Screen Size: 1920×1080 Best cursor sizes: 16×16→16×16, 32×32→32×32 Environment variable LANG: en_AT.UTF-8 System property file.encoding: ANSI_X3.4-1968 System property sun.jnu.encoding: ANSI_X3.4-1968 Locale info: en_GB Numbers with default locale: 1234567890 -> 1234567890 Desktop environment: KDE Java ATK Wrapper package: libatk-wrapper-java:all-0.38.0-5 libcommons-compress-java: libcommons-compress-java:all-1.21-1 libcommons-logging-java: libcommons-logging-java:all-1.2-2 fonts-noto: fonts-noto:all-20201225-1 liboauth-signpost-java: liboauth-signpost-java:all-1.2.1.2-3 VM arguments: [--module-path=/usr/share/openjfx/lib, --add-modules=java.scripting,java.sql,javafx.controls,javafx.media,javafx.swing,javafx.web, -Djosm.restart=true, -Djava.net.useSystemProxies=true, --add-exports=java.base/sun.security.action=ALL-UNNAMED, --add-exports=java.desktop/com.sun.imageio.plugins.jpeg=ALL-UNNAMED, --add-exports=java.desktop/com.sun.imageio.spi=ALL-UNNAMED] Program arguments: [--debug] }}} When setting up oauth login, the token is logged as part of the query parameter: {{{ 2022-01-09 00:35:07.619 INFO: GET https://www.openstreetmap.org/oauth/request_token -> HTTP/1.1 200 (905 ms; 124 B) 2022-01-09 00:35:08.953 INFO: GET https://www.openstreetmap.org/login?cookie_test=true -> HTTP/1.1 200 (924 ms; 5.01 kB) 2022-01-09 00:35:08.965 INFO: POST https://www.openstreetmap.org/login (182 B) ... 2022-01-09 00:35:09.565 INFO: POST https://www.openstreetmap.org/login -> HTTP/1.1 302 (599 ms) 2022-01-09 00:35:09.877 INFO: GET https://www.openstreetmap.org/oauth/authorize?oauth_token= -> HTTP/1.1 200 (312 ms; 4.17 kB) 2022-01-09 00:35:09.923 INFO: POST https://www.openstreetmap.org/oauth/authorize (318 B) ... 2022-01-09 00:35:10.281 INFO: POST https://www.openstreetmap.org/oauth/authorize -> HTTP/1.1 200 (357 ms; 3.55 kB) 2022-01-09 00:35:11.204 INFO: GET https://www.openstreetmap.org/logout -> HTTP/1.1 200 (923 ms; 3.70 kB) 2022-01-09 00:35:12.124 INFO: GET https://www.openstreetmap.org/oauth/access_token -> HTTP/1.1 401 (918 ms) }}} With the `--debug` command line option, the token is also logged as part of the `Authorization` header: {{{ 2022-01-09 15:15:21.590 FINE: Reading user info ... 2022-01-09 15:15:21.591 FINE: Contacting Server... 2022-01-09 15:15:21.591 FINE: REQUEST HEADERS: {Accept=application/xml, */*;q=0.8, Accept-Encoding=gzip, deflate, Authorization=OAuth oauth_consumer_key="""", oauth_nonce="""", oauth_signature="""", oauth_signature_method=""HMAC-SHA1"", oauth_timestamp="""", oauth_token="""", oauth_version=""1.0""} 2022-01-09 15:15:21.595 INFO: Changeset updater active (checks every 60 minutes if open changesets have been closed) 2022-01-09 15:15:21.586 INFO: RemoteControl::Accepting remote connections on /0:0:0:0:0:0:0:1:8111 2022-01-09 15:15:21.769 INFO: GET https://api.openstreetmap.org/api/0.6/user/details (get number of unread messages) -> HTTP/1.1 200 (177 ms; 403 B) }}} " defect closed normal 22.03 Core fixed oauth, token, secret, information disclosure