[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #16894 [Tor]: Check all logging output is appropriately escaped / escaped_safe_str_client

Subject: [tor-bugs] #16894 [Tor]: Check all logging output is appropriately escaped / escaped_safe_str_client
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 25 Aug 2015 13:12:51 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 25 Aug 2015 09:12:59 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#16894: Check all logging output is appropriately escaped / escaped_safe_str_client
------------------------------------------------+--------------------------
 Reporter:  teor                                |          Owner:
     Type:  task                                |         Status:  new
 Priority:  normal                              |      Milestone:  Tor:
Component:  Tor                                 |  0.2.7.x-final
 Keywords:  TorCoreTeam201509 security logging  |        Version:  Tor:
Parent ID:                                      |  unspecified
                                                |  Actual Points:
                                                |         Points:
------------------------------------------------+--------------------------
 Security bugs like #16891 show up every so often, where sensitive input is
 logged, rather than being obscured. Similarly, client input is sometimes
 logged unsanitised (I fixed one of these in the directory request logging
 code about 9-12 months ago.)

 It would be great if someone could review all the strings that are logged
 by Tor, and categorise them into:
 * static or calculated internally: trusted, log as-is
 * externally provided: unsanitised, use escaped()
 * sensitive client information: use escaped_safe_str_client()

 Do we want this in 0.2.7, or should we leave it until 0.2.8?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16894>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Follow-Ups:
- Re: [tor-bugs] #16894 [Tor]: Check all logging output is appropriately escaped / escaped_safe_str_client
  - From: Tor Bug Tracker & Wiki
- Re: [tor-bugs] #16894 [Tor]: Check all logging output is appropriately escaped / escaped_safe_str_client
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #16893 [Ooni]: ADINA15 Registration Error
Next by Author: Re: [tor-bugs] #16891 [Tor]: logging malformed hostnames in socks5 requests does not respect SafeLogging configuration
Previous by thread: Re: [tor-bugs] #16893 [Ooni]: ADINA15 Registration Error
Next by thread: Re: [tor-bugs] #16894 [Tor]: Check all logging output is appropriately escaped / escaped_safe_str_client
Index(es):
- Author
- Thread