From 03fbcf4e2304e51f7f6d97e635ff0d61c5e25b3d Mon Sep 17 00:00:00 2001 From: sbassett Date: Tue, 7 Jun 2022 11:58:42 -0500 Subject: [PATCH] SECURITY: redact oauth_token_secret within log data Bug: T308861 --- src/Backend/MWOAuthDataStore.php | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/Backend/MWOAuthDataStore.php b/src/Backend/MWOAuthDataStore.php index f3d8d3c..e9120ef 100644 --- a/src/Backend/MWOAuthDataStore.php +++ b/src/Backend/MWOAuthDataStore.php @@ -143,6 +143,11 @@ class MWOAuthDataStore extends OAuthDataStore { // Set timeout 5 minutes in the future of the timestamp as OAuthServer does. Use the // timestamp so the client can also expire their nonce records after 5 mins. if ( !$this->nonceCache->add( $key, 1, $timestamp + 300 ) ) { + // T308861 + $key = preg_replace( + "/(oauth_token_secret\=\w+:)/", + "oauth_token_secret=[REDACTED]:", + $key); $this->logger->info( "$key exists, so nonce has been used by this consumer+token" ); return true; } -- 2.20.1