Remove headers from HTTPServerRequest repr

 * In tornadoweb/tornado#1112 it was decided to stop including headers
   in the request repr, since they are needlessly verbose and risk
   leaking user secrets into the application log.

diff --git a/tornado/httputil.py b/tornado/httputil.py
index a98273aec0ed13099aa97ef35876b76783edc338..f2b289b32a5cd38fc86a685f768884e166e9b9d8 100755 (executable)
--- a/tornado/httputil.py
+++ b/tornado/httputil.py
@@ -467,8 +467,7 @@ class HTTPServerRequest(object):
     def __repr__(self):
         attrs = ("protocol", "host", "method", "uri", "version", "remote_ip")
         args = ", ".join(["%s=%r" % (n, getattr(self, n)) for n in attrs])
-        return "%s(%s, headers=%s)" % (
-            self.__class__.__name__, args, dict(self.headers))
+        return "%s(%s)" % (self.__class__.__name__, args)
 
 
 class HTTPInputError(Exception):

diff --git a/tornado/test/httputil_test.py b/tornado/test/httputil_test.py
index 7ac79925723e6bdc2327164578fd331a1d189717..1521ca03eea97ef9d51233c9d61ab2ce5ae22685 100644 (file)
--- a/tornado/test/httputil_test.py
+++ b/tornado/test/httputil_test.py
@@ -418,6 +418,10 @@ class HTTPServerRequestTest(unittest.TestCase):
         requets = HTTPServerRequest(uri='/')
         self.assertIsInstance(requets.body, bytes)
 
+    def test_repr_does_not_contain_headers(self):
+        request = HTTPServerRequest(uri='/', headers={'Canary': 'Coal Mine'})
+        self.assertTrue('Canary' not in repr(request))
+
 
 class ParseRequestStartLineTest(unittest.TestCase):
     METHOD = "GET"