From: Tollef Fog Heen <tfheen@err.no>
Date: Tue, 27 Oct 2009 20:03:19 +0000 (+0100)
Subject: Don't log the OTP publically
X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=53235b396dfb5d2c46e96379f7177a3aa315f88c;p=yubikey-server-c

Don't log the OTP publically

The OTP might not be an OTP, but an actual password, so don't log it
publically.
---

diff --git a/src/main.c b/src/main.c
index 174a896..993c4c7 100644
--- a/src/main.c
+++ b/src/main.c
@@ -373,7 +373,7 @@ static int handle_request(void * UNUSED(data),
 	otp = MHD_lookup_connection_value(conn, MHD_GET_ARGUMENT_KIND, "otp");
 	h = MHD_lookup_connection_value(conn, MHD_GET_ARGUMENT_KIND, "h");
 	syslog(LOG_DEBUG, "Got new connection with parameters: "
-	       "url=%s id=%s otp=%s, h=%s\n", url, id, otp, h);
+	       "url=%s id=%s otp=<hidden>, h=%s\n", url, id, h);
 
 	/* Do query to grab shared secret, we need this later anyway */
 	if (get_shared_secret(id, &shared_secret, &shared_secret_len) < 0) {