From 4c99ca8b70e313970e60db06e49f6e7327b4671d Mon Sep 17 00:00:00 2001
From: Jorge Aguado Recio <jorgeagurec@gmail.com>
Date: Fri, 19 Jun 2026 09:32:43 +0200
Subject: [PATCH 1/2] fix: redact cookie headers to prevent information leaks

Signed-off-by: Jorge Aguado Recio <jorgeagurec@gmail.com>
---
 .../android/lib/common/http/HttpConstants.java  |  3 ++-
 .../lib/common/http/logging/LogInterceptor.kt   | 17 +++++++++++------
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/owncloudComLibrary/src/main/java/com/owncloud/android/lib/common/http/HttpConstants.java b/owncloudComLibrary/src/main/java/com/owncloud/android/lib/common/http/HttpConstants.java
index ce889c7319a..02a07e7aa43 100644
--- a/owncloudComLibrary/src/main/java/com/owncloud/android/lib/common/http/HttpConstants.java
+++ b/owncloudComLibrary/src/main/java/com/owncloud/android/lib/common/http/HttpConstants.java
@@ -1,5 +1,5 @@
 /* ownCloud Android Library is available under MIT license
- *   Copyright (C) 2024 ownCloud GmbH.
+ *   Copyright (C) 2026 ownCloud GmbH.
  *
  *   Permission is hereby granted, free of charge, to any person obtaining a copy
  *   of this software and associated documentation files (the "Software"), to deal
@@ -35,6 +35,7 @@ public class HttpConstants {
 
     public static final String AUTHORIZATION_HEADER = "Authorization";
     public static final String COOKIE_HEADER = "Cookie";
+    public static final String SET_COOKIE_HEADER = "Set-Cookie";
     public static final String BEARER_AUTHORIZATION_KEY = "Bearer ";
     public static final String USER_AGENT_HEADER = "User-Agent";
     public static final String IF_MATCH_HEADER = "If-Match";
diff --git a/owncloudComLibrary/src/main/java/com/owncloud/android/lib/common/http/logging/LogInterceptor.kt b/owncloudComLibrary/src/main/java/com/owncloud/android/lib/common/http/logging/LogInterceptor.kt
index d8ab9ba89f9..552767f64d9 100644
--- a/owncloudComLibrary/src/main/java/com/owncloud/android/lib/common/http/logging/LogInterceptor.kt
+++ b/owncloudComLibrary/src/main/java/com/owncloud/android/lib/common/http/logging/LogInterceptor.kt
@@ -1,5 +1,5 @@
 /* ownCloud Android Library is available under MIT license
- *   Copyright (C) 2023 ownCloud GmbH.
+ *   Copyright (C) 2026 ownCloud GmbH.
  *
  *   Permission is hereby granted, free of charge, to any person obtaining a copy
  *   of this software and associated documentation files (the "Software"), to deal
@@ -24,7 +24,9 @@
 package com.owncloud.android.lib.common.http.logging
 
 import com.owncloud.android.lib.common.http.HttpConstants.AUTHORIZATION_HEADER
+import com.owncloud.android.lib.common.http.HttpConstants.COOKIE_HEADER
 import com.owncloud.android.lib.common.http.HttpConstants.OC_X_REQUEST_ID
+import com.owncloud.android.lib.common.http.HttpConstants.SET_COOKIE_HEADER
 import com.squareup.moshi.Moshi
 import com.squareup.moshi.kotlin.reflect.KotlinJsonAdapterFactory
 import okhttp3.Headers
@@ -85,11 +87,13 @@ class LogInterceptor : Interceptor {
 
     private fun logHeaders(headers: Headers): Map<String, String> {
         val auxHeaders = headers.toMap().toMutableMap()
-        if (auxHeaders.contains(AUTHORIZATION_HEADER)) {
-            val authHeaderList = auxHeaders[AUTHORIZATION_HEADER]!!.split(" ")
-            val authType = authHeaderList[0]
-            val authInfo = if (redactAuthHeader) "[redacted]" else authHeaderList[1]
-            auxHeaders[AUTHORIZATION_HEADER] = "$authType $authInfo"
+        if (redactAuthHeader) {
+            if (AUTHORIZATION_HEADER in auxHeaders) {
+                val authType = auxHeaders[AUTHORIZATION_HEADER]!!.substringBefore(" ")
+                auxHeaders[AUTHORIZATION_HEADER] = "$authType $REDACTED_VALUE"
+            }
+            if (COOKIE_HEADER in auxHeaders) { auxHeaders[COOKIE_HEADER] = REDACTED_VALUE }
+            if (SET_COOKIE_HEADER in auxHeaders) { auxHeaders[SET_COOKIE_HEADER] = REDACTED_VALUE }
         }
         return auxHeaders
     }
@@ -182,5 +186,6 @@ class LogInterceptor : Interceptor {
         private const val LIMIT_BODY_LOG: Long = 1000000
         private const val BINARY_OMITTED = "<-- Body end for response -- Binary -- Omitted:"
         private const val BYTES = "bytes -->"
+        private const val REDACTED_VALUE = "[redacted]"
     }
 }

From 52276e679a9116578a7e8ae349c60b6450bee7dd Mon Sep 17 00:00:00 2001
From: Jorge Aguado Recio <jorgeagurec@gmail.com>
Date: Fri, 19 Jun 2026 09:33:11 +0200
Subject: [PATCH 2/2] chore: add calens file

Signed-off-by: Jorge Aguado Recio <jorgeagurec@gmail.com>
---
 changelog/unreleased/4897 | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 changelog/unreleased/4897

diff --git a/changelog/unreleased/4897 b/changelog/unreleased/4897
new file mode 100644
index 00000000000..d86f0f79e39
--- /dev/null
+++ b/changelog/unreleased/4897
@@ -0,0 +1,6 @@
+Security: Redact cookie headers in logs
+
+Cookie headers have been redacted in the logs depending on the app
+configuration, in order to prevent sensitive information leaks.
+
+https://github.com/owncloud/android/pull/4897