Skip to content

fix: redact cookie headers to prevent information leaks#4897

Merged
joragua merged 2 commits into
masterfrom
fix/cookie_header_redacted
Jun 19, 2026
Merged

fix: redact cookie headers to prevent information leaks#4897
joragua merged 2 commits into
masterfrom
fix/cookie_header_redacted

Conversation

@joragua

@joragua joragua commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Related Issues

Comes from: https://kiteworks.atlassian.net/browse/OC10-95

It depends on the redact_auth_header_logs configuration in setup.xml. If it is set to true, the values of the cookie headers (Cookie and Set-Cookie) are replaced with [redacted] (the same as the Authorization header)

Reference: #4249

  • Add changelog files for the fixed issues in folder changelog/unreleased. More info here
  • Add feature to Release Notes in ReleaseNotesViewModel.kt creating a new ReleaseNote() with String resources (if required)

QA

@joragua joragua self-assigned this Jun 18, 2026
@joragua joragua added this to the 4.8.2 - Current milestone Jun 18, 2026
@joragua joragua force-pushed the fix/cookie_header_redacted branch from 99e9104 to fa7db83 Compare June 18, 2026 12:13
@joragua joragua marked this pull request as ready for review June 18, 2026 12:24
@joragua joragua requested a review from jesmrec June 18, 2026 12:24
jesmrec
jesmrec requested changes Jun 18, 2026
View reviewed changes

@jesmrec jesmrec left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two changes, @joragua

Comment thread owncloudComLibrary/src/main/java/com/owncloud/android/lib/common/http/logging/LogInterceptor.kt Outdated
Comment thread changelog/unreleased/4897
joragua added 2 commits June 19, 2026 09:32
@joragua
fix: redact cookie headers to prevent information leaks
4c99ca8 
Signed-off-by: Jorge Aguado Recio <jorgeagurec@gmail.com>
@joragua
chore: add calens file
52276e6 
Signed-off-by: Jorge Aguado Recio <jorgeagurec@gmail.com>
@joragua joragua force-pushed the fix/cookie_header_redacted branch from fa7db83 to 52276e6 Compare June 19, 2026 07:33
@joragua joragua requested a review from jesmrec June 19, 2026 07:38
jesmrec
jesmrec approved these changes Jun 19, 2026
View reviewed changes

@jesmrec jesmrec left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CR Approved, moving to QA 🚀

@jesmrec

jesmrec commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown
Member

QA checks:

  1. redact_auth_header_logs as true (oC10 & oCIS)
  • Cookie header -> must be redacted (only oC10)
  • Set-Cookie header -> must be redacted (only oC10)
  • Authentication header -> must be redacted
  1. redact_auth_header_logs as false (oC10 & oCIS)
  • Cookie header -> not redacted (only oC10)
  • Set-Cookie header -> not redacted (only oC10)
  • Authentication header -> not redacted
  1. Change value of redact_auth_header_logs
  • from false to true
  • from true to false

@jesmrec

jesmrec commented Jun 19, 2026

Copy link
Copy Markdown
Member

Approved on my side!

@joragua joragua merged commit 25cab2e into master Jun 19, 2026
10 checks passed
@joragua joragua deleted the fix/cookie_header_redacted branch June 19, 2026 09:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jesmrec jesmrec jesmrec approved these changes

Assignees

@joragua joragua

Labels

Approved by qa Estimation - 2 (S) Security Type:bug

Projects

None yet

Milestone

4.8.2 - Current

Development

Successfully merging this pull request may close these issues.

2 participants

@joragua @jesmrec