Closed nkottary closed 10 months ago
IIUC this isn't really a leak since it just prints the request which resulted in the error. Still a good idea to skip printing of sensitive headers I suppose.
Fixed by #1126 (and #1127 should mitigate any similar possible leaks).
The problem: The value of the Authorization header is printed as is when displaying a RequestError. This leaks the token in the key to the logs.
Steps to reproduce: 1) The following HTTP server has an error in it, so it will result in an eof error for clients:
Run this as a server:
julia server.jl
2) Send a request to this server with an Authorization header:
Example:
3) This results in error with Authorization header revealed in stacktrace: