GitLab

Security bugs like legacy/trac#16891 (moved) show up every so often, where sensitive input is logged, rather than being obscured. Similarly, client input is sometimes logged unsanitised (I fixed one of these in the directory request logging code about 9-12 months ago.)

It would be great if someone could review all the strings that are logged by Tor, and categorise them into:

• static or calculated internally: trusted, log as-is
• externally provided: unsanitised, use escaped()
• sensitive client information: use escaped_safe_str_client()

Do we want this in 0.2.7, or should we leave it until 0.2.8?