From c7853655902e7170657f5f96d0fead024c2da7c0 Mon Sep 17 00:00:00 2001 From: gbrodman Date: Thu, 9 Jul 2026 11:49:48 -0400 Subject: [PATCH] Remove reconstructed XSRF token from log (#3141) A.3 #13 --- .../main/java/google/registry/security/XsrfTokenManager.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/core/src/main/java/google/registry/security/XsrfTokenManager.java b/core/src/main/java/google/registry/security/XsrfTokenManager.java index eb27ebe59..40fddbcf8 100644 --- a/core/src/main/java/google/registry/security/XsrfTokenManager.java +++ b/core/src/main/java/google/registry/security/XsrfTokenManager.java @@ -104,8 +104,7 @@ public final class XsrfTokenManager { // Reconstruct the token to verify validity. String reconstructedToken = encodeToken(ServerSecret.get().asBytes(), email, timestampMillis); if (!MessageDigest.isEqual(token.getBytes(UTF_8), reconstructedToken.getBytes(UTF_8))) { - logger.atWarning().log( - "Reconstructed XSRF mismatch (got != expected): %s != %s", token, reconstructedToken); + logger.atWarning().log("Token %s didn't match expected reconstructed token", token); return false; } return true;