Actions
Bug #2862
closedWe log oauth consumer key in the production.log
Description
We should not do that, just saying "is invalid" is enough and more secure.
Updated by Marek Hulán over 11 years ago
I personally don't like this change too much. oauth_key is something like username (and oauth_consumer is more like password) so I think we can log this. I find this useful for debugging. If we want to hide usernames we should think of filtering usernames coming from login forms (and probably other places). Anyone else concerned?
Updated by Lukas Zapletal over 11 years ago
- Status changed from Assigned to Ready For Testing
Updated by Dominic Cleal over 11 years ago
I ran this by Grant from RH's security team and he seemed to agree with Marek's response:
The consumer_key makes up part of the client credentials but it is not a secret component of them. It is intended to be a unique identifier for the client that is transmitted when requesting a request_token and access_token. The consumer_secret should never be exposed. In this case I'm not sure it would matter if you logged the consumer_key anyway as AFAICT only one consumer_key / consumer_secret can be configured for the application.
Updated by Lukas Zapletal over 11 years ago
- Status changed from Ready For Testing to Rejected
Actions