diff --git a/zephyr/lib/bugdown/__init__.py b/zephyr/lib/bugdown/__init__.py index 2d9fa2c6c3..f4068bea40 100644 --- a/zephyr/lib/bugdown/__init__.py +++ b/zephyr/lib/bugdown/__init__.py @@ -1,6 +1,7 @@ import markdown import logging import traceback +import re from zephyr.lib.avatar import gravatar_hash from zephyr.lib.bugdown import codehilite @@ -42,6 +43,16 @@ MAX_MD_ENGINE_USES = 30 _md_engine = None _use_count = 0 +# We want to log Markdown parser failures, but shouldn't log the actual input +# message for privacy reasons. The compromise is to replace all alphanumeric +# characters with 'x'. +# +# We also use repr() to improve reproducibility, and to escape terminal control +# codes, which can do surprisingly nasty things. +_privacy_re = re.compile(r'\w', flags=re.UNICODE) +def _sanitize_for_log(md): + return repr(_privacy_re.sub('x', md)) + def _linkify(match): url = match.group('url') return ' [%s](%s) ' % (url, url) @@ -62,14 +73,9 @@ def convert(md): html = _md_engine.convert(md) except: # FIXME: Do something more reasonable here! - # - # NB: For security, we must not print the bare Markdown input. - # It could contain terminal control codes, which can do - # surprisingly nasty things. - html = '
[Humbug note: Sorry, we could not understand the formatting of your message]
' - logging.getLogger('').error('Exception in Markdown parser: %sInput was: %s' - % (traceback.format_exc(), repr(md))) + logging.getLogger('').error('Exception in Markdown parser: %sInput (sanitized) was: %s' + % (traceback.format_exc(), _sanitize_for_log(md))) _use_count += 1 if _use_count >= MAX_MD_ENGINE_USES: