db/pgbackrest
1
0
Fork 0
mirror of https://github.com/pgbackrest/pgbackrest.git synced 2026-06-05 19:32:08 +02:00
Code Issues Releases Activity

Write HTTP request as a buffer to hide secrets.

Browse Source 
The prior method of writing headers as strings could expose secrets in trace level logs.

Instead write the entire request as a buffer to prevent secrets from being logged and also reduce the amount of logging.
This commit is contained in:
David Steele
2020-07-08 15:07:29 -04:00
parent dd9e14b628
commit eaa05fdc49
4 changed files with 13 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/common/io/http/request.c
+10 -13
View File
@@ -100,29 +100,26 @@ httpRequestProcess(HttpRequest *this, bool requestOnly, bool contentCache)
{
session = httpClientOpen(this->client);
// Write the request
String *queryStr = httpQueryRender(this->query);
ioWriteStrLine(
httpSessionIoWrite(session),
// Format the request
String *requestStr =
strNewFmt(
"%s %s%s%s " HTTP_VERSION "\r", strPtr(this->verb), strPtr(httpUriEncode(this->uri, true)),
queryStr == NULL ? "" : "?", queryStr == NULL ? "" : strPtr(queryStr)));
"%s %s%s%s " HTTP_VERSION CRLF_Z, strPtr(this->verb), strPtr(httpUriEncode(this->uri, true)),
this->query == NULL ? "" : "?", this->query == NULL ? "" : strPtr(httpQueryRender(this->query)));
// Write headers
// Add headers
const StringList *headerList = httpHeaderList(this->header);
for (unsigned int headerIdx = 0; headerIdx < strLstSize(headerList); headerIdx++)
{
const String *headerKey = strLstGet(headerList, headerIdx);
ioWriteStrLine(
httpSessionIoWrite(session),
strNewFmt("%s:%s\r", strPtr(headerKey), strPtr(httpHeaderGet(this->header, headerKey))));
strCatFmt(
requestStr, "%s:%s" CRLF_Z, strPtr(headerKey), strPtr(httpHeaderGet(this->header, headerKey)));
}
// Write out blank line to end the headers
ioWriteLine(httpSessionIoWrite(session), CR_BUF);
// Add blank line to end of headers and write the request as a buffer so secrets do not show up in logs
strCat(requestStr, CRLF_STR);
ioWrite(httpSessionIoWrite(session), BUFSTR(requestStr));
// Write out content if any
if (this->content != NULL)
src/common/type/string.c
+1
View File
@@ -23,6 +23,7 @@ STRING_EXTERN(BRACKETL_STR, BRACKETL_Z);
STRING_EXTERN(BRACKETR_STR, BRACKETR_Z);
STRING_EXTERN(COLON_STR, COLON_Z);
STRING_EXTERN(CR_STR, CR_Z);
STRING_EXTERN(CRLF_STR, CRLF_Z);
STRING_EXTERN(DASH_STR, DASH_Z);
STRING_EXTERN(DOT_STR, DOT_Z);
STRING_EXTERN(DOTDOT_STR, DOTDOT_Z);
src/common/type/string.h
+1
View File
@@ -215,6 +215,7 @@ STRING_DECLARE(BRACKETL_STR);
STRING_DECLARE(BRACKETR_STR);
STRING_DECLARE(COLON_STR);
STRING_DECLARE(CR_STR);
STRING_DECLARE(CRLF_STR);
STRING_DECLARE(DASH_STR);
STRING_DECLARE(DOT_STR);
STRING_DECLARE(DOTDOT_STR);
src/common/type/stringz.h
+1
View File
@@ -15,6 +15,7 @@ Zero-terminated strings that are generally useful
#define COLON_Z ":"
#define COMMA_Z ","
#define CR_Z "\r"
#define CRLF_Z "\r\n"
#define DASH_Z "-"
#define DOT_Z "."
#define DOTDOT_Z ".."