From 6af30daee8651a8a2329f14fce217c342d82207d Mon Sep 17 00:00:00 2001
From: Andrew Morgan <andrew@amorgan.xyz>
Date: Thu, 3 Oct 2019 11:54:56 +0100
Subject: [PATCH 1/2] Replace client_secret with <redacted> in server logs

---
 synapse/http/__init__.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/synapse/http/__init__.py b/synapse/http/__init__.py
index 3acf772cd16b..3880ce0d944a 100644
--- a/synapse/http/__init__.py
+++ b/synapse/http/__init__.py
@@ -42,11 +42,13 @@ def cancelled_to_request_timed_out_error(value, timeout):
 
 
 ACCESS_TOKEN_RE = re.compile(r"(\?.*access(_|%5[Ff])token=)[^&]*(.*)$")
+CLIENT_SECRET_RE = re.compile(r"(\?.*client(_|%5[Ff])secret=)[^&]*(.*)$")
 
 
 def redact_uri(uri):
-    """Strips access tokens from the uri replaces with <redacted>"""
-    return ACCESS_TOKEN_RE.sub(r"\1<redacted>\3", uri)
+    """Strips sensitive information from the uri replaces with <redacted>"""
+    uri = ACCESS_TOKEN_RE.sub(r"\1<redacted>\3", uri)
+    return CLIENT_SECRET_RE.sub(r"\1<redacted>\3", uri)
 
 
 class QuieterFileBodyProducer(FileBodyProducer):

From 86f9de1bf1371d06ba27e6fc45f04779b5fc32ab Mon Sep 17 00:00:00 2001
From: Andrew Morgan <andrew@amorgan.xyz>
Date: Thu, 3 Oct 2019 11:57:39 +0100
Subject: [PATCH 2/2] Add changelog

---
 changelog.d/6158.bugfix | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog.d/6158.bugfix

diff --git a/changelog.d/6158.bugfix b/changelog.d/6158.bugfix
new file mode 100644
index 000000000000..6b48fce05e72
--- /dev/null
+++ b/changelog.d/6158.bugfix
@@ -0,0 +1 @@
+Redact `client_secret` in server logs.