Skip to content

review logging in libs to check that no app names are being leaked

The audit pointed out some leaks of the APK download URLs and local file paths. Those logging calls should use something like Utils.debugLog() so they are only logged in debug builds.

https://git.radicallyopensecurity.com/ros/pen-nlnet-ngip-trackingthetrackers/-/issues/4

Here are the places I found that need this:

diff --git a/libs/download/src/androidMain/kotlin/org/fdroid/download/HttpDownloader.kt b/libs/download/src/androidMain/kotlin/org/fdroid/download/HttpDownloader.kt
index 7c011a470..5f146705b 100644
--- a/libs/download/src/androidMain/kotlin/org/fdroid/download/HttpDownloader.kt
+++ b/libs/download/src/androidMain/kotlin/org/fdroid/download/HttpDownloader.kt
@@ -146,15 +146,15 @@ public class HttpDownloader constructor(
         val fileLength = outputFile.length()
         if (fileLength > (fileSize ?: -1)) {
             if (!outputFile.delete()) log.warn {
-                "Warning: " + outputFile.absolutePath + " not deleted"
+                "Warning: " + outputFile.absolutePath + " not deleted" // TODO debugLog
             }
         } else if (fileLength == fileSize && outputFile.isFile) {
-            log.info { "Already have outputFile, not download. ${outputFile.absolutePath}" }
+            log.info { "Already have outputFile, not download. ${outputFile.absolutePath}" } // TODO debugLog
             return // already have it!
         } else if (fileLength > 0) {
             resumable = true
         }
-        log.info { "downloading ${request.indexFile.name} (is resumable: $resumable)" }
+        log.info { "downloading ${request.indexFile.name} (is resumable: $resumable)" } // TODO debugLog
         runBlocking {
             try {
                 downloadFromBytesReceiver(resumable)
diff --git a/libs/download/src/commonMain/kotlin/org/fdroid/download/HttpManager.kt b/libs/download/src/commonMain/kotlin/org/fdroid/download/HttpManager.kt
index e5eba4eea..e84a04858 100644
--- a/libs/download/src/commonMain/kotlin/org/fdroid/download/HttpManager.kt
+++ b/libs/download/src/commonMain/kotlin/org/fdroid/download/HttpManager.kt
@@ -96,7 +96,7 @@ public open class HttpManager @JvmOverloads constructor(
         val response: HttpResponse = try {
             mirrorChooser.mirrorRequest(request) { mirror, url ->
                 resetProxyIfNeeded(request.proxy, mirror)
-                log.info { "HEAD $url" }
+                log.info { "HEAD $url" } // TODO only log in debug builds
                 httpClient.head(url) {
                     addQueryParameters()
                     // add authorization header from username / password if set
@@ -153,7 +153,7 @@ public open class HttpManager @JvmOverloads constructor(
         skipFirstBytes: Long,
     ): HttpStatement {
         resetProxyIfNeeded(request.proxy, mirror)
-        log.info { "GET $url" }
+        log.info { "GET $url" } // TODO debugLog
         return httpClient.prepareGet(url) {
             addQueryParameters()
             // add authorization header from username / password if set
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information