Apply safelog's "Sensitive" tag to filenames, or otherwise redact them?
Paths on the filesystem can be sensitive, as in C:\Users\NickMathewson\AppData\Arti\
, or as in /srv/onion-services/nicks-onion-blog/
.
But redacting paths on the file system can lead to frustrating errors, as in "Could not open [...]"
or "Could not open ${APP_STATE}"
.
On Unix-like systems we can make progress by extracting $HOME
from the start of the path and replacing it with ~
, but that isn't really a done thing on Windows AFAIK.
If we come up with a good solution here, we should consider applying it to the locations that include paths in our log messages or errors: fs-mistrust
, tor-persist
, and tor-dirmgr
.