• could it because I have this in my config? log_writers[] = "screen"
• I'm wondering whether this error would have been logged without this?
• this ERROR was triggered in Tracking API in piwik.php
• I think this would only affect users that have not disabled browser trigger archiving

OK maybe it isn't a critical security bug as maybe this could only occur when [Tracker] debug=1 in the config? (which was set for me when I saw this error in the notification)

one solution could be to remove XYZ whenever a notification wants to display token_auth=XYZ

log_writers[] = "screen" is enabled by default.

If we want to globally fix this, I'd say that nothing that gets executed as super user should log to the current user (which could be anonymous). So logging for stuff executed as SU should not go to screen (because else it could happen somewhere else, not simply logging the token auth but logging anything related to SU or system).

But is there a way to know whether we are currently in super user mode?

More generally I think there should be a clear isolation between the current user request and "do as super user" stuff. Mixups and info leaks could happen with the logs but also maybe with anything that stores stuff in the session, maybe the cookies, maybe user settings, maybe stuff like activity log, etc, do you see anything else? In theory nothing user-related should be shared between those 2 contexts, just like if the super user stuff was running in a separate PHP process.

E.g. imagine the activity log logs an action that was done by "doAsSuperUser" while running in an anonymous user's request. Not a security issue, but it's an example of a mixup between those 2 "contexts".

Back to the issue here, the token is logged to screen but also to file. If that is not OK to log the token to file, maybe we should try to avoid logging the token at all in the first place?

maybe we should try to avoid logging the token at all in the first place?

+1
since we can't enforce developers / humans to not log the token (also it may appear in backtrace or other places) then I can only think of a solution of replacing any hex string of 32 chars with token_auth_removed or so?

Just a loose thought - wouldn't that kind of approach remove also useful things from logs ?
For ex. done flags for segments (might be useful while debuging archiving), or any other thing that also is using md5 hashing ?

Replacing token_auth= 9b1cefc915ff6180071fb7dcd13ec5a4 with token_auth=removed then? Would it cover all cases?

Yes, I think. Also just got another thought - it could be configurable param in case we would like to actually see what token auth is being used (maybe for debuging scheduled reports - we could check if wrong token is reason for task failing or so). Probably there would be more cases when we would like to verify if proper token is being used for given API call

Replacing token_auth= 9b1cefc915ff6180071fb7dcd13ec5a4 with token_auth=removed then? Would it cover all cases?

I think so, +1

I have pushed a commit that does the replacement. Should we close this?

Looks good to me