On 25 Aug 2015, at 21:25, Andreas Stieger <astieger@suse.com> wrote:

Hello,

On 08/25/2015 08:16 AM, teor wrote:
On 24 Aug 2015, at 09:12, Andreas Stieger <astieger@suse.com
<mailto:astieger@suse.com>> wrote:
I found a warning-level message in socks5 code relating to malformed
hostnames that did not respect the SafeLogging setting, breaking the
rule of least surprise. Please review the attached simple patch.

Thank you for submitting this patch - is there a corresponding Trac ticket?
(Patches without Trac tickets can get lost easily.)

I created #16891 and attached the patch.
https://trac.torproject.org/projects/tor/ticket/16891

Thanks, Andreas, I have reviewed your patch, and tagged it with the keywords PostFreeze027 (so it gets merged before / during the 0.2.7 freeze) and TorCoreTeam201508 (so it's included in this month's work).

I have also filed #16894 to do a review of similar logging issues elsewhere in the Tor codebase.

If anyone wants to help review the places where Tor logs externally-provided strings, and particularly logging sensitive client information, please add your findings to the ticket.

https://trac.torproject.org/projects/tor/ticket/16894

Thanks again,

Tim (teor)

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
pgp 0xABFED1AC
https://gist.github.com/teor2345/d033b8ce0a99adbc89c5

teor at blah dot im
OTR D5BE4EC2 255D7585 F3874930 DB130265 7C9EBBC7