mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-30 06:46:49 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: downgrade RAOP auth logging from info to debug level

Browse source 
Information Disclosure: High

The RTSP client logs all HTTP headers and full RTSP request messages
at INFO level, which includes Authorization headers containing
credentials (Base64-encoded for Basic auth, hash responses for Digest
auth). The WWW-Authenticate challenge header with realm and nonce
values is also logged at INFO level.

INFO-level logs are commonly collected by system logging daemons and
may be stored in world-readable log files, exposing credentials.

Downgrade all three logging calls to DEBUG level, which is only
enabled during explicit debugging sessions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-24 16:20:50 +02:00
parent 4f9e59b87d
commit ebbc9acc90
2 changed files with 3 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/modules/module-raop/rtsp-client.c
View file

@ -319,7 +319,7 @@ static int process_header(struct pw_rtsp_client *client, char *buf)
else {
const struct spa_dict_item *it;
spa_dict_for_each(it, &client->headers->dict)
pw_log_info(" %s: %s", it->key, it->value);
pw_log_debug(" %s: %s", it->key, it->value);
client->content_length = pw_properties_get_uint32(client->headers, "Content-Length", 0);
if (client->content_length > 0)
@ -411,7 +411,7 @@ static int flush_output(struct pw_rtsp_client *client)
data = SPA_PTROFF(msg->data, msg->offset, void);
size = msg->len - msg->offset;
} else {
pw_log_info("sent: %s", (char *)msg->data);
pw_log_debug("sent: %s", (char *)msg->data);
spa_list_remove(&msg->link);
if (msg->reply != NULL)
spa_list_append(&client->pending, &msg->link);