Skip to content

fix: remove stream url from info logs #1341

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: remove stream url from info logs #1341

wants to merge 1 commit into from

Conversation

@martinohmann
Copy link

@martinohmann martinohmann commented Sep 6, 2024
edited
Loading

Updates #238

This solves the most prominent credential leak. With every new connection the passwords were leaked to the logs visible in the UI as well.

With this change only the stream name gets logged here.

There are other places in the codebase where we still log secret embedded in URLs, but a lot of them lack access to the stream name they could be replaced with. Most of these occurances are debug logs (which are not an issue if you're running go2rtc at >= info level), but some are warning level though. I can try to come up with a fix in a followup PR.

This change is a simpler alternative to #1219 to address the issue to rid of the password in the log line emitted whenever a stream is created.

Before:

[streams] create new stream url=rtsp://stream:[email protected]:554/stream1

After:

[streams] create new stream garage-cam

@martinohmann
fix: remove stream url from info logs
cfbd393 
This solves the most prominent credential leak. With every new
connection the passwords were leaked to the logs visible in the UI as
well.

With this change only the stream name gets logged here.

There are other places in the codebase where we still log secret
embedded in URLs, but a lot of them lack access to the stream name they
could be replaced with. Most of these occurances are debug logs, but
some are warning level though. I can try to come up with a fix in a
followup PR.

This change is a simpler alternative to
AlexxIT#1219 to address the issue to rid
of the password in the log line emitted whenever a stream is created:

    [streams] create new stream url=rtsp://stream:[email protected]:554/stream1

    [streams] create new stream garage-cam
martinohmann
martinohmann commented Sep 6, 2024
View reviewed changes
internal/streams/streams.go
log zerolog.Logger
streams = map[string]*Stream{}
streamsMu sync.Mutex
)
Copy link
Author

@martinohmann martinohmann Sep 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

gofmt did this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@martinohmann