Skip to content

GitLab

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

Open
Created by teor@teor

Check all logging output is appropriately escaped / escaped_safe_str_client

Security bugs like legacy/trac#16891 (moved) show up every so often, where sensitive input is logged, rather than being obscured. Similarly, client input is sometimes logged unsanitised (I fixed one of these in the directory request logging code about 9-12 months ago.)

It would be great if someone could review all the strings that are logged by Tor, and categorise them into:

  • static or calculated internally: trusted, log as-is
  • externally provided: unsanitised, use escaped()
  • sensitive client information: use escaped_safe_str_client()

Do we want this in 0.2.7, or should we leave it until 0.2.8?

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information