Page MenuHomePhabricator
Files F35375849

01-T308861.patch
sbassett (Scott Bassett)
Actions

Authored By
sbassett
Aug 1 2022, 2:46 PM
Size
1 KB
Referenced Files
None
Subscribers
None

01-T308861.patch
View Options

From 03fbcf4e2304e51f7f6d97e635ff0d61c5e25b3d Mon Sep 17 00:00:00 2001
From: sbassett <sbassett@wikimedia.org>
Date: Tue, 7 Jun 2022 11:58:42 -0500
Subject: [PATCH] SECURITY: redact oauth_token_secret within log data
Bug: T308861
---
src/Backend/MWOAuthDataStore.php | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/Backend/MWOAuthDataStore.php b/src/Backend/MWOAuthDataStore.php
index f3d8d3c..e9120ef 100644
--- a/src/Backend/MWOAuthDataStore.php
+++ b/src/Backend/MWOAuthDataStore.php
@@ -143,6 +143,11 @@ class MWOAuthDataStore extends OAuthDataStore {
// Set timeout 5 minutes in the future of the timestamp as OAuthServer does. Use the
// timestamp so the client can also expire their nonce records after 5 mins.
if ( !$this->nonceCache->add( $key, 1, $timestamp + 300 ) ) {
+ // T308861
+ $key = preg_replace(
+ "/(oauth_token_secret\=\w+:)/",
+ "oauth_token_secret=[REDACTED]:",
+ $key);
$this->logger->info( "$key exists, so nonce has been used by this consumer+token" );
return true;
}
--
2.20.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9631778
Default Alt Text
01-T308861.patch (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL