fix changelog

2023-07-19 19:35:25 +01:00 · 2023-07-19 19:35:25 +01:00 · 8f420e6f53
parent bc78ceb420
commit 8f420e6f53
2 changed files with 13 additions and 10 deletions
--- a/actix-web/CHANGES.md
+++ b/actix-web/CHANGES.md
@ -10,6 +10,7 @@
 ### Changed

 - Handler functions can now receive up to 16 extractor parameters.
+- Hide sensitive header values in `HttpRequest`'s `Debug` output.
 - Minimum supported Rust version (MSRV) is now 1.65 due to transitive `time` dependency.

 ## 4.3.1 - 2023-02-26
@ -18,11 +19,6 @@

 - Add support for custom methods with the `#[route]` macro. [#2969]

-### Fixed
-
- Hide `Authorization` and `Proxy-Authorization` header in `HttpRequest` Debug output [#2953]
-
-[#2953]: https://github.com/actix/actix-web/pull/2953
 [#2969]: https://github.com/actix/actix-web/pull/2969

 ## 4.3.0 - 2023-01-21
--- a/actix-web/src/request.rs
+++ b/actix-web/src/request.rs
@ -435,24 +435,28 @@ impl fmt::Debug for HttpRequest {
            self.inner.head.method,
            self.path()
        )?;
+
        if !self.query_string().is_empty() {
            writeln!(f, "  query: ?{:?}", self.query_string())?;
        }
+
        if !self.match_info().is_empty() {
            writeln!(f, "  params: {:?}", self.match_info())?;
        }
+
        writeln!(f, "  headers:")?;
+
        for (key, val) in self.headers().iter() {
-            // Hide sensitive header from debug output
            match key {
+                // redact sensitive header values from debug output
                &crate::http::header::AUTHORIZATION
                | &crate::http::header::PROXY_AUTHORIZATION
-                | &crate::http::header::COOKIE => {
-                    writeln!(f, "    {:?}: {:?}", key, "*redacted*")?
-                }
+                | &crate::http::header::COOKIE => writeln!(f, "    {:?}: {:?}", key, "*redacted*")?,
+
                _ => writeln!(f, "    {:?}: {:?}", key, val)?,
            }
        }
+
        Ok(())
    }
 }
@ -931,7 +935,10 @@ mod tests {
    fn proxy_authorization_header_hidden_in_debug() {
        let proxy_authorization_header = "secret value";
        let req = TestRequest::get()
-            .insert_header((crate::http::header::PROXY_AUTHORIZATION, proxy_authorization_header))
+            .insert_header((
+                crate::http::header::PROXY_AUTHORIZATION,
+                proxy_authorization_header,
+            ))
            .to_http_request();

        assert!(!format!("{:?}", req).contains(proxy_authorization_header));