On mwlog1002, /srv/mw-log/OAuth.log contains oauth_token_secret query parameters. This is unnecessary for debugging and creates a needless risk.
- Risk Rating
- Author Affiliation
- Wikimedia Communities
So the relevant logging action is in src/Backend/MWOAuthDataStore.php. It's using this oauth token format as part of the cache key, so technically nothing to do with query parameters. Since we're just worried about the logging action here, the simplest solution would be removing/redacting the oauth_token_secret value from the $key variable just prior to it getting logged. Testing within shell.php, something like:
$key = preg_replace("/(oauth_token_secret\=\w+:)/", "", $key);
$key = preg_replace("/(oauth_token_secret\=\w+:)/", "oauth_token_secret=[REDACTED]:", $key);
should work. Not sure if it's better to show the secret was redacted or have it disappear entirely, for those debugging with OAuth.log.
This commit breaks OAuth on MW 1.35
nonceCache is not defined, resulting in Call to a member function add() on null.
It works on 1.35+ as cache was renamed to ´nonceCache`