Do not log token or challenge with exception stacktrace (#25026)

* Make the filtering better readable

* Add some more methods to the sensitive list

1 files changed, 27 insertions, 1 deletions

diff --git a/lib/private/Log.php b/lib/private/Log.php
index 6028064a878..49223521916 100644
--- a/lib/private/Log.php
+++ b/lib/private/Log.php
@@ -60,6 +60,32 @@ class Log implements ILogger {
 	/** @var Normalizer */
 	private $normalizer;
 
+	protected $methodsWithSensitiveParameters = [
+		// Session/User
+		'login',
+		'checkPassword',
+		'updatePrivateKeyPassword',
+		'validateUserPass',
+
+		// TokenProvider
+		'getToken',
+		'isTokenPassword',
+		'getPassword',
+		'decryptPassword',
+		'logClientIn',
+		'generateToken',
+		'validateToken',
+
+		// TwoFactorAuth
+		'solveChallenge',
+		'verifyChallenge',
+
+		//ICrypto
+		'calculateHMAC',
+		'encrypt',
+		'decrypt',
+	];
+
 	/**
 	 * @param string $logger The logger that should be used
 	 * @param SystemConfig $config the system config object
@@ -286,7 +312,7 @@ class Log implements ILogger {
 			'File' => $exception->getFile(),
 			'Line' => $exception->getLine(),
 		);
-		$exception['Trace'] = preg_replace('!(login|checkPassword|updatePrivateKeyPassword|validateUserPass)\(.*\)!', '$1(*** username and password replaced ***)', $exception['Trace']);
+		$exception['Trace'] = preg_replace('!(' . implode('|', $this->methodsWithSensitiveParameters) . ')\(.*\)!', '$1(*** sensitive parameters replaced ***)', $exception['Trace']);
 		$msg = isset($context['message']) ? $context['message'] : 'Exception';
 		$msg .= ': ' . json_encode($exception);
 		$this->error($msg, $context);