From 6b99d126da4c38cd5a5c4d6306fd30f05fd93d3c Mon Sep 17 00:00:00 2001 From: David Francoeur Date: Fri, 13 Mar 2026 15:41:12 -0400 Subject: [PATCH 1/3] prevent sensitive header value being logged --- CHANGELOG.rst | 3 +-- src/hpack/hpack.py | 14 ++++++++++---- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 8b4c060..22eb2ee 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -14,10 +14,9 @@ dev - Support for Python 3.14 has been added. - Support for PyPy 3.11 has been added. - **Bugfixes** -- +- Prevent sensitive headers from being leaked 4.1.0 (2025-01-22) ------------------ diff --git a/src/hpack/hpack.py b/src/hpack/hpack.py index 7e33e77..5efcf92 100644 --- a/src/hpack/hpack.py +++ b/src/hpack/hpack.py @@ -284,16 +284,22 @@ def encode(self, def add(self, to_add: tuple[bytes, bytes], sensitive: bool, huffman: bool = False) -> bytes: """ Serializes a header key-value tuple. + + When sensitive is True, the header will not be added to the header table, + furthermore, the header value will be redacted in debug logs, as "SENSITIVE_REDACTED", + to prevent accidental exposure of sensitive information. """ + name, value = to_add + + display_value = value if not sensitive else b"SENSITIVE_REDACTED" log.debug( - "Adding %s to the header table, sensitive:%s, huffman:%s", - to_add, + "Adding %s=%s to the header table, sensitive:%s, huffman:%s", + name, + display_value, sensitive, huffman, ) - name, value = to_add - # Set our indexing mode indexbit = INDEX_INCREMENTAL if not sensitive else INDEX_NEVER From 2ce67e7c5cea192645b91b268f1716296e86aa65 Mon Sep 17 00:00:00 2001 From: Thomas Kriechbaumer Date: Sun, 15 Mar 2026 14:29:01 +0100 Subject: [PATCH 2/3] Apply suggestion from @Kriechi --- src/hpack/hpack.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/hpack/hpack.py b/src/hpack/hpack.py index 5efcf92..a017caa 100644 --- a/src/hpack/hpack.py +++ b/src/hpack/hpack.py @@ -285,7 +285,8 @@ def add(self, to_add: tuple[bytes, bytes], sensitive: bool, huffman: bool = Fals """ Serializes a header key-value tuple. - When sensitive is True, the header will not be added to the header table, + When sensitive is True, the header will not be added to the header table + (see https://www.rfc-editor.org/rfc/rfc7541.html#section-7.1.3 for details), furthermore, the header value will be redacted in debug logs, as "SENSITIVE_REDACTED", to prevent accidental exposure of sensitive information. """ From c2360237ddf3a3b4217b92e140b48bfeed792db1 Mon Sep 17 00:00:00 2001 From: Thomas Kriechbaumer Date: Sun, 15 Mar 2026 14:31:13 +0100 Subject: [PATCH 3/3] Apply suggestion from @Kriechi --- CHANGELOG.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 22eb2ee..ddb58c6 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -16,7 +16,7 @@ dev **Bugfixes** -- Prevent sensitive headers from being leaked +- Headers marked as `sensitive` will no longer log their value at DEBUG level. Instead a placeholder value of `SENSITIVE_REDACTED` is logged. 4.1.0 (2025-01-22) ------------------