mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-29 06:46:38 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: downgrade RAOP auth logging from info to debug level

Browse source 
Information Disclosure: High

The RTSP client logs all HTTP headers and full RTSP request messages
at INFO level, which includes Authorization headers containing
credentials (Base64-encoded for Basic auth, hash responses for Digest
auth). The WWW-Authenticate challenge header with realm and nonce
values is also logged at INFO level.

INFO-level logs are commonly collected by system logging daemons and
may be stored in world-readable log files, exposing credentials.

Downgrade all three logging calls to DEBUG level, which is only
enabled during explicit debugging sessions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-24 16:20:50 +02:00
parent 4f9e59b87d
commit ebbc9acc90
2 changed files with 3 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/modules/module-raop-sink.c
View file

@ -1327,7 +1327,7 @@ static int rtsp_do_options_auth(struct impl *impl, const struct spa_dict *header
return -ENOTSUP;
}
pw_log_info("Auth: %s", str);
pw_log_debug("Auth: %s", str);
spa_auto(pw_strv) tokens = pw_split_strv(str, " ", INT_MAX, &n_tokens);
if (tokens == NULL || tokens[0] == NULL)