[tor-bugs] #26882 [Core Tor/Tor]: IP address is not scrubbed in info logs, channel_tls_process_netinfo_cell()
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jul 19 20:47:37 UTC 2018
#26882: IP address is not scrubbed in info logs, channel_tls_process_netinfo_cell()
------------------------------+---------------------------------
Reporter: dmr | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Core Tor/Tor | Version:
Severity: Normal | Keywords: tor-client, tor-doc
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------+---------------------------------
Here's a log snippet from an `info` log I was manually reviewing to scrub
before sharing.
{{{
[info] channel_tls_process_netinfo_cell(): Got good NETINFO cell from
[scrubbed]:443; OR connection is now open, using protocol version 5. Its
ID digest is <redacted>. Our address is apparently <redacted>.
}}}
In the above, `<redacted>` is my notation; `[scrubbed]` is from
SafeLogging.
(I'm not sure I had to redact the digest, but was just being
conservative.)
`SafeLogging 1` was set (default).
Tor `0.3.3.7`
asn mentioned on #tor-dev that he thinks this is a bug.
Some brief notes from asn:
> "<none>" : fmt_and_decorate_addr(&my_apparent_addr));
> hm yeah that's I think a bug
> it should be safe_str_client()
> so weird that no one has mentioned htis before
It's worth noting the manpage for `SafeLogging` says:
> ...
> If this option is set to 0, Tor will not perform any scrubbing, if it is
set to 1, all potentially sensitive strings are replaced.
> ...
arma advocated for a different resolution:
> if i were filing this ticket i would file a "scale back safelogging
claims in the man page" ticket :)
(My preference is to scrub the IP address, but I also acknowledge the
rabbit hole of trying to scrub anything "sensitive", especially in
info/debug logs)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26882>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list