Remove contents of the Authorization header while dumping requests for broken pipe failure

[joycehuh]

• With issues:

Description

#1836
This PR fix the issue partially, with brokenpipe case, the entire httpReques containing the user credentials is still being logged as error.

How to reproduce

Client cancel a downloading request will lead to broken pipe panic, and the RecoveryWithWriter method will log it as errors including the entire http request which contains sensitive user info like Authorization token etc.

Expectations

No logging of sensitive user data in the log.

Actual result

Logs contain sensitive user data when encounter broken pipe failure.

Environment

• go version: go1.13.4
• gin version (or commit ref): v.1.5.0
• operating system: Linux

[zachnewburgh]

I also ran into this issue, which is caused by:

if brokenPipe {
  logger.Printf("%s\n%s%s", err, string(httpRequest), reset)

https://github.com/gin-gonic/gin/blob/master/recovery.go#L79

It seems like a potential fix could be:

if brokenPipe {
  logger.Printf("%s\n%s%s", err, strings.Join(headers, "\r\n"), reset)

Is there any update on progress to resolve this issue?

[ghoshabhi]

Thank you @zachnewburgh for fixing this! This was indeed an issue.