Don't include passwords in logs

2016-06-11 12:53:58 +02:00 · 2016-06-11 12:53:58 +02:00 · d4e6205745
commit d4e6205745
parent 063e827588
3 changed files with 16 additions and 12 deletions
--- a/3
+++ b/3
@ -116,6 +116,9 @@
 # Store all environment variables (including those set in the shell)
 #full_environment = False

+# Don't include passwords in logs
+#mask_passwords = True
+

 [headers]

--- a/radicale/init.py
+++ b/radicale/init.py
@ -119,20 +119,20 @@ class Application:
        self.Collection = storage.load(configuration, logger)
        self.authorized = rights.load(configuration, logger)
        self.encoding = configuration.get("encoding", "request")
-        if configuration.getboolean("logging", "full_environment"):
-            self.headers_log = lambda environ: environ

-    # This method is overriden in __init__ if full_environment is set
-    # pylint: disable=E0202
-    @staticmethod
-    def headers_log(environ):
-        """Remove environment variables from the headers for logging."""
+    def headers_log(self, environ):
+        """Sanitize headers for logging."""
        request_environ = dict(environ)
-        for shell_variable in os.environ:
-            if shell_variable in request_environ:
-                del request_environ[shell_variable]
+        # Remove environment variables
+        if not self.configuration.getboolean("logging", "full_environment"):
+            for shell_variable in os.environ:
+                request_environ.pop(shell_variable, None)
+        # Mask credentials
+        if (self.configuration.getboolean("logging", "mask_passwords") and
+                request_environ.get("HTTP_AUTHORIZATION",
+                                    "").startswith("Basic")):
+            request_environ["HTTP_AUTHORIZATION"] = "Basic **masked**"
        return request_environ
-    # pylint: enable=E0202

    def decode(self, text, environ):
        """Try to magically decode ``text`` according to given ``environ``."""
--- a/radicale/config.py
+++ b/radicale/config.py
@ -63,7 +63,8 @@ INITIAL_CONFIG = {
    "logging": {
        "config": "/etc/radicale/logging",
        "debug": "False",
-        "full_environment": "False"}}
+        "full_environment": "False",
+        "mask_passwords": "True"}}


 def load(paths=()):