[Libreoffice-commits] online.git: Branch 'feature/anonymization-cd' - 17 commits - common/Log.cpp common/Log.hpp common/Seccomp.cpp common/Seccomp.hpp common/Session.cpp common/Session.hpp common/Util.cpp common/Util.hpp configure.ac kit/ChildSession.cpp kit/ChildSession.hpp kit/ForKit.cpp kit/Kit.cpp kit/KitHelper.hpp kit/Kit.hpp loolwsd.xml.in net/Socket.cpp test/WhiteBoxTests.cpp wsd/AdminModel.cpp wsd/ClientSession.cpp wsd/DocumentBroker.cpp wsd/DocumentBroker.hpp wsd/LOOLWSD.cpp wsd/LOOLWSD.hpp wsd/Storage.cpp wsd/Storage.hpp

Ashod Nakashian (via logerrit) logerrit at kemper.freedesktop.org
Sat Dec 7 01:50:24 UTC 2019


Rebased ref, commits from common ancestor:
commit 2b46475ced9d13d257467c559a73fb5f1b4cb58a
Author:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
AuthorDate: Sun Jun 10 22:40:32 2018 -0400
Commit:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
CommitDate: Fri Jun 15 01:18:13 2018 -0400

    wsd: anonymize saveas
    
    Change-Id: I58e349781952a97c3251b0e52e26abb34d44e9c0

diff --git a/kit/ChildSession.cpp b/kit/ChildSession.cpp
index 57c1326bb..b273c86f0 100644
--- a/kit/ChildSession.cpp
+++ b/kit/ChildSession.cpp
@@ -1127,6 +1127,8 @@ bool ChildSession::saveAs(const char* /*buffer*/, int /*length*/, const std::vec
         return false;
     }
 
+    const std::string urlAnonym = anonymizeUrl(url);
+
     // if the url is a 'wopi:///something/blah.odt', then save to a temporary
     Poco::URI wopiURL(url);
     if (wopiURL.getScheme() == "wopi")
@@ -1162,13 +1164,13 @@ bool ChildSession::saveAs(const char* /*buffer*/, int /*length*/, const std::vec
 
         getLOKitDocument()->setView(_viewId);
 
-        LOG_DBG("Calling LOK's saveAs with: '" << url.c_str() << "', '" <<
+        LOG_DBG("Calling LOK's saveAs with: '" << urlAnonym << "', '" <<
                 (format.size() == 0 ? "(nullptr)" : format.c_str()) << "', '" <<
                 (filterOptions.size() == 0 ? "(nullptr)" : filterOptions.c_str()) << "'.");
 
         success = getLOKitDocument()->saveAs(url.c_str(),
-                format.size() == 0 ? nullptr :format.c_str(),
-                filterOptions.size() == 0 ? nullptr : filterOptions.c_str());
+                                             format.empty() ? nullptr : format.c_str(),
+                                             filterOptions.empty() ? nullptr : filterOptions.c_str());
 
         if (!success)
         {
diff --git a/wsd/Storage.cpp b/wsd/Storage.cpp
index f1fe5d79e..422d5a863 100644
--- a/wsd/Storage.cpp
+++ b/wsd/Storage.cpp
@@ -722,7 +722,6 @@ StorageBase::SaveResult WopiStorage::saveLocalFileToStorage(const Authorization&
 
     LOG_INF("Uploading URI via WOPI [" << uriAnonym << "] from [" << filePathAnonym + "].");
 
-    std::ostringstream oss;
     StorageBase::SaveResult saveResult(StorageBase::SaveResult::FAILED);
     try
     {
@@ -794,13 +793,35 @@ StorageBase::SaveResult WopiStorage::saveLocalFileToStorage(const Authorization&
 
         Poco::Net::HTTPResponse response;
         std::istream& rs = psession->receiveResponse(response);
+
+        std::ostringstream oss;
         Poco::StreamCopier::copyStream(rs, oss);
+        std::string responseString = oss.str();
+
+        const std::string wopiLog(isSaveAs ? "WOPI::PutRelativeFile" : "WOPI::PutFile");
+
+        if (Log::infoEnabled())
+        {
+            if (LOOLWSD::AnonymizeFilenames)
+            {
+                Poco::JSON::Object::Ptr object;
+                if (parseJSON(responseString, object))
+                {
+                    // Anonymize the filename
+                    std::string filename;
+                    getWOPIValue(object, "Name", filename);
+                    object->set("Name", LOOLWSD::anonymizeUsername(filename));
+                    // Stringify to log.
+                    std::ostringstream ossResponse;
+                    object->stringify(ossResponse);
+                    responseString = ossResponse.str();
+                }
+            }
 
-        std::string wopiLog(isSaveAs? "WOPI::PutRelativeFile": "WOPI::PutFile");
-        LOG_INF(wopiLog << " response: " << oss.str());
-        LOG_INF(wopiLog << " uploaded " << size << " bytes from [" << filePathAnonym <<
-                "] -> [" << uriAnonym << "]: " <<
-                response.getStatus() << " " << response.getReason());
+            LOG_INF(wopiLog << " response: " << responseString);
+            LOG_INF(wopiLog << " uploaded " << size << " bytes from [" << filePathAnonym <<
+                    "] -> [" << uriAnonym << "]: " << response.getStatus() << " " << response.getReason());
+        }
 
         if (response.getStatus() == Poco::Net::HTTPResponse::HTTP_OK)
         {
@@ -815,10 +836,10 @@ StorageBase::SaveResult WopiStorage::saveLocalFileToStorage(const Authorization&
                 if (isSaveAs)
                 {
                     const std::string name = getJSONValue<std::string>(object, "Name");
-                    LOG_TRC(wopiLog << " returns Name [" << name << "].");
+                    LOG_TRC(wopiLog << " returns Name [" << LOOLWSD::anonymizeUrl(name) << "].");
 
                     const std::string url = getJSONValue<std::string>(object, "Url");
-                    LOG_TRC(wopiLog << " returns Url [" << url << "].");
+                    LOG_TRC(wopiLog << " returns Url [" << LOOLWSD::anonymizeUrl(url) << "].");
 
                     saveResult.setSaveAsResult(name, url);
                 }
commit b8dfb55ba6c76de9916047e2ca46cf58b24ae241
Author:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
AuthorDate: Sun Jun 10 22:30:42 2018 -0400
Commit:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
CommitDate: Fri Jun 15 01:18:13 2018 -0400

    wsd: anonymize downloadas
    
    Change-Id: I6dff7189d78d339f1f5db7afef2b62da4df23759

diff --git a/kit/ChildSession.cpp b/kit/ChildSession.cpp
index 19950fe22..57c1326bb 100644
--- a/kit/ChildSession.cpp
+++ b/kit/ChildSession.cpp
@@ -664,18 +664,20 @@ bool ChildSession::downloadAs(const char* /*buffer*/, int /*length*/, const std:
     // Prevent user inputting anything funny here.
     // A "name" should always be a name, not a path
     const Poco::Path filenameParam(name);
-    const auto url = JAILED_DOCUMENT_ROOT + tmpDir + "/" + filenameParam.getFileName();
+    const std::string url = JAILED_DOCUMENT_ROOT + tmpDir + "/" + filenameParam.getFileName();
+    const std::string nameAnonym = anonymizeUrl(name);
+    const std::string urlAnonym = JAILED_DOCUMENT_ROOT + tmpDir + "/" + Poco::Path(nameAnonym).getFileName();
 
     {
         std::unique_lock<std::mutex> lock(_docManager.getDocumentMutex());
 
-        LOG_DBG("Calling LOK's downloadAs with: '" << url.c_str() << "', '" <<
-                (format.size() == 0 ? "(nullptr)" : format.c_str()) << "', '" <<
-                (filterOptions.size() == 0 ? "(nullptr)" : filterOptions.c_str()) << "'.");
+        LOG_DBG("Calling LOK's downloadAs with: url='" << urlAnonym << "', format='" <<
+                (format.empty() ? "(nullptr)" : format.c_str()) << "', ' filterOptions=" <<
+                (filterOptions.empty() ? "(nullptr)" : filterOptions.c_str()) << "'.");
 
         getLOKitDocument()->saveAs(url.c_str(),
-                format.size() == 0 ? nullptr :format.c_str(),
-                filterOptions.size() == 0 ? nullptr : filterOptions.c_str());
+                                   format.empty() ? nullptr : format.c_str(),
+                                   filterOptions.empty() ? nullptr : filterOptions.c_str());
     }
 
     sendTextFrame("downloadas: jail=" + _jailId + " dir=" + tmpDir + " name=" + name +
diff --git a/kit/Kit.cpp b/kit/Kit.cpp
index f7a1f5821..b75be40e4 100644
--- a/kit/Kit.cpp
+++ b/kit/Kit.cpp
@@ -2412,6 +2412,25 @@ bool globalPreinit(const std::string &loTemplate)
     return true;
 }
 
+std::string anonymizeUrl(const std::string& url)
+{
+#ifndef BUILDING_TESTS
+    return AnonymizeFilenames ? Util::anonymizeUrl(url) : url;
+#else
+    return url;
+#endif
+}
+
+/// Anonymize usernames.
+std::string anonymizeUsername(const std::string& username)
+{
+#ifndef BUILDING_TESTS
+    return AnonymizeUsernames ? Util::anonymize(username) : username;
+#else
+    return username;
+#endif
+}
+
 #if !defined(BUILDING_TESTS) && !defined(KIT_IN_PROCESS)
 namespace Util
 {
diff --git a/kit/Kit.hpp b/kit/Kit.hpp
index ac80b4869..d5ca5b9a4 100644
--- a/kit/Kit.hpp
+++ b/kit/Kit.hpp
@@ -72,6 +72,12 @@ void forkLibreOfficeKit(const std::string& childRoot,
                         const std::string& loSubPath,
                         int limit = 0);
 
+/// Anonymize the basename of filenames, preserving the path and extension.
+std::string anonymizeUrl(const std::string& url);
+
+/// Anonymize usernames.
+std::string anonymizeUsername(const std::string& username);
+
 #endif
 
 /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/kit/KitHelper.hpp b/kit/KitHelper.hpp
index d386ea067..12af0e92b 100644
--- a/kit/KitHelper.hpp
+++ b/kit/KitHelper.hpp
@@ -194,7 +194,7 @@ namespace LOKitHelper
 
         return oss.str();
     }
-};
+}
 
 #endif
 
diff --git a/wsd/ClientSession.cpp b/wsd/ClientSession.cpp
index 010e927fa..171712606 100644
--- a/wsd/ClientSession.cpp
+++ b/wsd/ClientSession.cpp
@@ -479,8 +479,8 @@ bool ClientSession::filterMessage(const std::string& message) const
         }
         else
         {
-                allowed = false;
-                LOG_WRN("No value of id in downloadas message");
+            allowed = false;
+            LOG_WRN("No value of id in downloadas message");
         }
     }
     else if (tokens[0] == "gettextselection")
diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp
index 59d3025da..0d5a5aa35 100644
--- a/wsd/LOOLWSD.cpp
+++ b/wsd/LOOLWSD.cpp
@@ -2258,11 +2258,12 @@ private:
             docBrokersLock.unlock();
 
             std::string fileName;
-            bool responded = false;
             URI::decode(tokens[5], fileName);
             const Path filePath(LOOLWSD::ChildRoot + tokens[3]
                                 + JAILED_DOCUMENT_ROOT + tokens[4] + "/" + fileName);
-            LOG_INF("HTTP request for: " << filePath.toString());
+            const std::string filePathAnonym = LOOLWSD::anonymizeUrl(filePath.toString());
+            LOG_INF("HTTP request for: " << filePathAnonym);
+            bool responded = false;
             if (filePath.isAbsolute() && File(filePath).exists())
             {
                 // Instruct browsers to download the file, not display it
@@ -2287,7 +2288,7 @@ private:
             }
             else
             {
-                LOG_ERR("Download file [" << filePath.toString() << "] not found.");
+                LOG_ERR("Download file [" << filePathAnonym << "] not found.");
             }
             (void)responded;
             return;
commit fb0538cf985f683da25ebcd78ab4e1746d7a9103
Author:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
AuthorDate: Sun Jun 10 20:55:52 2018 -0400
Commit:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
CommitDate: Fri Jun 15 01:18:12 2018 -0400

    wsd: anonymize document saving
    
    Change-Id: Ic819883e39a544ec16d6ac144a08ed9f9f568cc0

diff --git a/wsd/DocumentBroker.cpp b/wsd/DocumentBroker.cpp
index 6fb482c3c..35e9068c2 100644
--- a/wsd/DocumentBroker.cpp
+++ b/wsd/DocumentBroker.cpp
@@ -762,20 +762,21 @@ bool DocumentBroker::saveToStorageInternal(const std::string& sessionId,
     }
 
     const Authorization auth = it->second->getAuthorization();
-    const auto uri = isSaveAs? saveAsPath: it->second->getPublicUri().toString();
+    const std::string uri = isSaveAs ? saveAsPath : it->second->getPublicUri().toString();
+    const std::string uriAnonym = LOOLWSD::anonymizeUrl(uri);
 
     // If the file timestamp hasn't changed, skip saving.
     const auto newFileModifiedTime = Poco::File(_storage->getRootFilePath()).getLastModified();
     if (!isSaveAs && newFileModifiedTime == _lastFileModifiedTime)
     {
         // Nothing to do.
-        LOG_DBG("Skipping unnecessary saving to URI [" << uri << "] with docKey [" << _docKey <<
+        LOG_DBG("Skipping unnecessary saving to URI [" << uriAnonym << "] with docKey [" << _docKey <<
                 "]. File last modified " << _lastFileModifiedTime.elapsed() / 1000000 << " seconds ago.");
         _poll->wakeup();
         return true;
     }
 
-    LOG_DBG("Persisting [" << _docKey << "] after saving to URI [" << uri << "].");
+    LOG_DBG("Persisting [" << _docKey << "] after saving to URI [" << uriAnonym << "].");
 
     assert(_storage && _tileCache);
     StorageBase::SaveResult storageSaveResult = _storage->saveLocalFileToStorage(auth, saveAsPath, saveAsFilename);
@@ -795,7 +796,7 @@ bool DocumentBroker::saveToStorageInternal(const std::string& sessionId,
             // After a successful save, we are sure that document in the storage is same as ours
             _documentChangedInStorage = false;
 
-            LOG_DBG("Saved docKey [" << _docKey << "] to URI [" << uri << "] and updated timestamps. " <<
+            LOG_DBG("Saved docKey [" << _docKey << "] to URI [" << uriAnonym << "] and updated timestamps. " <<
                     " Document modified timestamp: " << _documentLastModifiedTime);
 
             // Resume polling.
@@ -804,22 +805,29 @@ bool DocumentBroker::saveToStorageInternal(const std::string& sessionId,
         else
         {
             // normalize the url (mainly to " " -> "%20")
-            std::string url = Poco::URI(storageSaveResult.getSaveAsUrl()).toString();
+            const std::string url = Poco::URI(storageSaveResult.getSaveAsUrl()).toString();
+
+            const std::string filename = storageSaveResult.getSaveAsName();
 
             // encode the name
             std::string encodedName;
-            Poco::URI::encode(storageSaveResult.getSaveAsName(), "", encodedName);
+            Poco::URI::encode(filename, "", encodedName);
+            const std::string filenameAnonym = LOOLWSD::anonymizeUrl(filename);
 
-            it->second->sendTextFrame("saveas: url=" + url + " filename=" + encodedName);
+            std::ostringstream oss;
+            oss << "saveas: url=" << url << " filename=" << encodedName
+                << " xfilename=" << filenameAnonym;
+            it->second->sendTextFrame(oss.str());
 
             LOG_DBG("Saved As docKey [" << _docKey << "] to URI [" << url <<
-                    " with name '" << encodedName << "'] successfully.");
+                    "] with name [" << filenameAnonym << "] successfully.");
         }
+
         return true;
     }
     else if (storageSaveResult.getResult() == StorageBase::SaveResult::DISKFULL)
     {
-        LOG_WRN("Disk full while saving docKey [" << _docKey << "] to URI [" << uri <<
+        LOG_WRN("Disk full while saving docKey [" << _docKey << "] to URI [" << uriAnonym <<
                 "]. Making all sessions on doc read-only and notifying clients.");
 
         // Make everyone readonly and tell everyone that storage is low on diskspace.
@@ -831,13 +839,14 @@ bool DocumentBroker::saveToStorageInternal(const std::string& sessionId,
     }
     else if (storageSaveResult.getResult() == StorageBase::SaveResult::UNAUTHORIZED)
     {
-        LOG_ERR("Cannot save docKey [" << _docKey << "] to storage URI [" << uri << "]. Invalid or expired access token. Notifying client.");
+        LOG_ERR("Cannot save docKey [" << _docKey << "] to storage URI [" << uriAnonym <<
+                "]. Invalid or expired access token. Notifying client.");
         it->second->sendTextFrame("error: cmd=storage kind=saveunauthorized");
     }
     else if (storageSaveResult.getResult() == StorageBase::SaveResult::FAILED)
     {
         //TODO: Should we notify all clients?
-        LOG_ERR("Failed to save docKey [" << _docKey << "] to URI [" << uri << "]. Notifying client.");
+        LOG_ERR("Failed to save docKey [" << _docKey << "] to URI [" << uriAnonym << "]. Notifying client.");
         it->second->sendTextFrame("error: cmd=storage kind=savefailed");
     }
     else if (storageSaveResult.getResult() == StorageBase::SaveResult::DOC_CHANGED)
diff --git a/wsd/Storage.cpp b/wsd/Storage.cpp
index ef8e76793..f1fe5d79e 100644
--- a/wsd/Storage.cpp
+++ b/wsd/Storage.cpp
@@ -488,8 +488,9 @@ std::unique_ptr<WopiStorage::WOPIFileInfo> WopiStorage::getWOPIFileInfo(const Au
     // update the access_token to the one matching to the session
     Poco::URI uriObject(_uri);
     auth.authorizeURI(uriObject);
+    const std::string uriAnonym = LOOLWSD::anonymizeUrl(uriObject.toString());
 
-    LOG_DBG("Getting info for wopi uri [" << uriObject.toString() << "].");
+    LOG_DBG("Getting info for wopi uri [" << uriAnonym << "].");
 
     std::string wopiResponse;
     std::chrono::duration<double> callDuration(0);
@@ -513,7 +514,7 @@ std::unique_ptr<WopiStorage::WOPIFileInfo> WopiStorage::getWOPIFileInfo(const Au
         auto logger = Log::trace();
         if (logger.enabled())
         {
-            logger << "WOPI::CheckFileInfo header for URI [" << uriObject.toString() << "]:\n";
+            logger << "WOPI::CheckFileInfo header for URI [" << uriAnonym << "]:\n";
             for (const auto& pair : response)
             {
                 logger << '\t' << pair.first << ": " << pair.second << " / ";
@@ -530,10 +531,10 @@ std::unique_ptr<WopiStorage::WOPIFileInfo> WopiStorage::getWOPIFileInfo(const Au
 
         Poco::StreamCopier::copyToString(rs, wopiResponse);
     }
-    catch(const Poco::Exception& pexc)
+    catch (const Poco::Exception& pexc)
     {
-        LOG_ERR("Cannot get file info from WOPI storage uri [" << uriObject.toString() << "]. Error: " << pexc.displayText() <<
-                (pexc.nested() ? " (" + pexc.nested()->displayText() + ")" : ""));
+        LOG_ERR("Cannot get file info from WOPI storage uri [" << uriAnonym << "]. Error: " <<
+                pexc.displayText() << (pexc.nested() ? " (" + pexc.nested()->displayText() + ")" : ""));
         throw;
     }
 
@@ -623,7 +624,7 @@ std::unique_ptr<WopiStorage::WOPIFileInfo> WopiStorage::getWOPIFileInfo(const Au
         else
             LOG_ERR("WOPI::CheckFileInfo failed or no valid JSON payload returned. Access denied. "
                     "Original response: [" << wopiResponse << "].");
-        throw UnauthorizedRequestException("Access denied. WOPI::CheckFileInfo failed on: " + uriObject.toString());
+        throw UnauthorizedRequestException("Access denied. WOPI::CheckFileInfo failed on: " + uriAnonym);
     }
 
     const Poco::Timestamp modifiedTime = iso8601ToTimestamp(lastModifiedTime);
@@ -640,8 +641,9 @@ std::string WopiStorage::loadStorageFileToLocal(const Authorization& auth)
     Poco::URI uriObject(_uri);
     uriObject.setPath(uriObject.getPath() + "/contents");
     auth.authorizeURI(uriObject);
+    const std::string uriAnonym = LOOLWSD::anonymizeUrl(uriObject.toString());
 
-    LOG_DBG("Wopi requesting: " << uriObject.toString());
+    LOG_DBG("Wopi requesting: " << uriAnonym);
 
     const auto startTime = std::chrono::steady_clock::now();
     try
@@ -662,7 +664,7 @@ std::string WopiStorage::loadStorageFileToLocal(const Authorization& auth)
         auto logger = Log::trace();
         if (logger.enabled())
         {
-            logger << "WOPI::GetFile header for URI [" << uriObject.toString() << "]:\n";
+            logger << "WOPI::GetFile header for URI [" << uriAnonym << "]:\n";
             for (const auto& pair : response)
             {
                 logger << '\t' << pair.first << ": " << pair.second << " / ";
@@ -685,8 +687,8 @@ std::string WopiStorage::loadStorageFileToLocal(const Authorization& auth)
                       std::istreambuf_iterator<char>(),
                       std::ostreambuf_iterator<char>(ofs));
             ofs.close();
-            LOG_INF("WOPI::GetFile downloaded " << getFileSize(_jailedFilePath) << " bytes from [" << uriObject.toString() <<
-                    "] -> " << _jailedFilePathAnonym << " in " << diff.count() << "s");
+            LOG_INF("WOPI::GetFile downloaded " << getFileSize(_jailedFilePath) << " bytes from [" <<
+                    uriAnonym << "] -> " << _jailedFilePathAnonym << " in " << diff.count() << "s");
 
             _isLoaded = true;
             // Now return the jailed path.
@@ -695,8 +697,8 @@ std::string WopiStorage::loadStorageFileToLocal(const Authorization& auth)
     }
     catch(const Poco::Exception& pexc)
     {
-        LOG_ERR("Cannot load document from WOPI storage uri [" + uriObject.toString() + "]. Error: " << pexc.displayText() <<
-                (pexc.nested() ? " (" + pexc.nested()->displayText() + ")" : ""));
+        LOG_ERR("Cannot load document from WOPI storage uri [" + uriAnonym + "]. Error: " <<
+                pexc.displayText() << (pexc.nested() ? " (" + pexc.nested()->displayText() + ")" : ""));
         throw;
     }
 
@@ -708,15 +710,17 @@ StorageBase::SaveResult WopiStorage::saveLocalFileToStorage(const Authorization&
     // TODO: Check if this URI has write permission (canWrite = true)
 
     const bool isSaveAs = !saveAsPath.empty() && !saveAsFilename.empty();
-    const std::string filePath(isSaveAs? saveAsPath: _jailedFilePath);
+    const std::string filePath(isSaveAs ? saveAsPath : _jailedFilePath);
+    const std::string filePathAnonym = LOOLWSD::anonymizeUrl(filePath);
 
     const auto size = getFileSize(filePath);
 
     Poco::URI uriObject(_uri);
     uriObject.setPath(isSaveAs? uriObject.getPath(): uriObject.getPath() + "/contents");
     auth.authorizeURI(uriObject);
+    const std::string uriAnonym = LOOLWSD::anonymizeUrl(uriObject.toString());
 
-    LOG_INF("Uploading URI via WOPI [" << LOOLWSD::anonymizeUrl(uriObject.toString()) << "] from [" << filePath + "].");
+    LOG_INF("Uploading URI via WOPI [" << uriAnonym << "] from [" << filePathAnonym + "].");
 
     std::ostringstream oss;
     StorageBase::SaveResult saveResult(StorageBase::SaveResult::FAILED);
@@ -794,8 +798,8 @@ StorageBase::SaveResult WopiStorage::saveLocalFileToStorage(const Authorization&
 
         std::string wopiLog(isSaveAs? "WOPI::PutRelativeFile": "WOPI::PutFile");
         LOG_INF(wopiLog << " response: " << oss.str());
-        LOG_INF(wopiLog << " uploaded " << size << " bytes from [" << filePath <<
-                "] -> [" << LOOLWSD::anonymizeUrl(uriObject.toString()) << "]: " <<
+        LOG_INF(wopiLog << " uploaded " << size << " bytes from [" << filePathAnonym <<
+                "] -> [" << uriAnonym << "]: " <<
                 response.getStatus() << " " << response.getReason());
 
         if (response.getStatus() == Poco::Net::HTTPResponse::HTTP_OK)
@@ -825,7 +829,7 @@ StorageBase::SaveResult WopiStorage::saveLocalFileToStorage(const Authorization&
             }
             else
             {
-                LOG_WRN("Invalid or missing JSON in " << wopiLog << " HTTP_OK response");
+                LOG_WRN("Invalid or missing JSON in " << wopiLog << " HTTP_OK response.");
             }
         }
         else if (response.getStatus() == Poco::Net::HTTPResponse::HTTP_REQUESTENTITYTOOLARGE)
@@ -850,14 +854,14 @@ StorageBase::SaveResult WopiStorage::saveLocalFileToStorage(const Authorization&
             }
             else
             {
-                LOG_WRN("Invalid or missing JSON in " << wopiLog << " HTTP_CONFLICT response");
+                LOG_WRN("Invalid or missing JSON in " << wopiLog << " HTTP_CONFLICT response.");
             }
         }
     }
     catch(const Poco::Exception& pexc)
     {
-        LOG_ERR("Cannot save file to WOPI storage uri [" + uriObject.toString() + "]. Error: " << pexc.displayText() <<
-                (pexc.nested() ? " (" + pexc.nested()->displayText() + ")" : ""));
+        LOG_ERR("Cannot save file to WOPI storage uri [" << uriAnonym << "]. Error: " <<
+                pexc.displayText() << (pexc.nested() ? " (" + pexc.nested()->displayText() + ")" : ""));
         saveResult.setResult(StorageBase::SaveResult::FAILED);
     }
 
commit 7ee6314a404f1e9b8316235414d59cdbc67b5cf8
Author:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
AuthorDate: Sun Jun 10 20:24:04 2018 -0400
Commit:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
CommitDate: Fri Jun 15 01:18:12 2018 -0400

    wsd: anonymize jailed filename
    
    Change-Id: I0af46ae6779caf9851e3142889940e4f774f9eb9

diff --git a/wsd/AdminModel.cpp b/wsd/AdminModel.cpp
index 4b52ab82b..843ce1271 100644
--- a/wsd/AdminModel.cpp
+++ b/wsd/AdminModel.cpp
@@ -25,6 +25,7 @@
 #include "Log.hpp"
 #include "Unit.hpp"
 #include "Util.hpp"
+#include <wsd/LOOLWSD.hpp>
 
 void Document::addView(const std::string& sessionId, const std::string& userName, const std::string& userId)
 {
@@ -88,7 +89,7 @@ const std::string Document::getHistory() const
     std::ostringstream oss;
     oss << "{";
     oss << "\"docKey\"" << ":\"" << _docKey << "\",";
-    oss << "\"filename\"" << ":\"" << getFilename() << "\",";
+    oss << "\"filename\"" << ":\"" << LOOLWSD::anonymizeUrl(getFilename()) << "\",";
     oss << "\"start\"" << ":" << _start << ",";
     oss << "\"end\"" << ":" << _end << ",";
     oss << "\"pid\"" << ":" << getPid() << ",";
diff --git a/wsd/DocumentBroker.cpp b/wsd/DocumentBroker.cpp
index d2cab234b..6fb482c3c 100644
--- a/wsd/DocumentBroker.cpp
+++ b/wsd/DocumentBroker.cpp
@@ -654,7 +654,7 @@ bool DocumentBroker::load(const std::shared_ptr<ClientSession>& session, const s
         Poco::DigestOutputStream dos(sha1);
         Poco::StreamCopier::copyStream(istr, dos);
         dos.close();
-        LOG_INF("SHA1 for DocKey [" << _docKey << "] of [" << localPath << "]: " <<
+        LOG_INF("SHA1 for DocKey [" << _docKey << "] of [" << LOOLWSD::anonymizeUrl(localPath) << "]: " <<
                 Poco::DigestEngine::digestToHex(sha1.digest()));
 
         // LibreOffice can't open files with '#' in the name
diff --git a/wsd/Storage.cpp b/wsd/Storage.cpp
index e56e29c87..ef8e76793 100644
--- a/wsd/Storage.cpp
+++ b/wsd/Storage.cpp
@@ -255,22 +255,24 @@ std::string LocalStorage::loadStorageFileToLocal(const Authorization& /*auth*/)
     // /chroot/jailId/user/doc/childId/file.ext
     const auto filename = Poco::Path(_uri.getPath()).getFileName();
     _jailedFilePath = Poco::Path(getLocalRootPath(), filename).toString();
+    _jailedFilePathAnonym = LOOLWSD::anonymizeUrl(_jailedFilePath);
     LOG_INF("Public URI [" << _uri.getPath() <<
-            "] jailed to [" << _jailedFilePath << "].");
+            "] jailed to [" << _jailedFilePathAnonym << "].");
 
     // Despite the talk about URIs it seems that _uri is actually just a pathname here
     const auto publicFilePath = _uri.getPath();
 
     if (!FileUtil::checkDiskSpace(_jailedFilePath))
     {
-        throw StorageSpaceLowException("Low disk space for " + _jailedFilePath);
+        throw StorageSpaceLowException("Low disk space for " + _jailedFilePathAnonym);
     }
 
-    LOG_INF("Linking " << publicFilePath << " to " << _jailedFilePath);
+    LOG_INF("Linking " << publicFilePath << " to " << _jailedFilePathAnonym);
     if (!Poco::File(_jailedFilePath).exists() && link(publicFilePath.c_str(), _jailedFilePath.c_str()) == -1)
     {
         // Failed
-        LOG_WRN("link(\"" << publicFilePath << "\", \"" << _jailedFilePath << "\") failed. Will copy.");
+        LOG_WRN("link(\"" << publicFilePath << "\", \"" << _jailedFilePathAnonym << "\") failed. Will copy. "
+                "Linking error: " << errno << " " << strerror(errno));
     }
 
     try
@@ -278,14 +280,14 @@ std::string LocalStorage::loadStorageFileToLocal(const Authorization& /*auth*/)
         // Fallback to copying.
         if (!Poco::File(_jailedFilePath).exists())
         {
-            LOG_INF("Copying " << publicFilePath << " to " << _jailedFilePath);
+            LOG_INF("Copying " << publicFilePath << " to " << _jailedFilePathAnonym);
             Poco::File(publicFilePath).copyTo(_jailedFilePath);
             _isCopy = true;
         }
     }
     catch (const Poco::Exception& exc)
     {
-        LOG_ERR("copyTo(\"" << publicFilePath << "\", \"" << _jailedFilePath << "\") failed: " << exc.displayText());
+        LOG_ERR("copyTo(\"" << publicFilePath << "\", \"" << _jailedFilePathAnonym << "\") failed: " << exc.displayText());
         throw;
     }
 
@@ -305,11 +307,11 @@ StorageBase::SaveResult LocalStorage::saveLocalFileToStorage(const Authorization
 {
     try
     {
-        LOG_TRC("Saving local file to local file storage " << _isCopy << " for " << _jailedFilePath);
+        LOG_TRC("Saving local file to local file storage (isCopy: " << _isCopy << ") for " << _jailedFilePathAnonym);
         // Copy the file back.
         if (_isCopy && Poco::File(_jailedFilePath).exists())
         {
-            LOG_INF("Copying " << _jailedFilePath << " to " << _uri.getPath());
+            LOG_INF("Copying " << _jailedFilePathAnonym << " to " << _uri.getPath());
             Poco::File(_jailedFilePath).copyTo(_uri.getPath());
         }
 
@@ -320,7 +322,7 @@ StorageBase::SaveResult LocalStorage::saveLocalFileToStorage(const Authorization
     }
     catch (const Poco::Exception& exc)
     {
-        LOG_ERR("copyTo(\"" << _jailedFilePath << "\", \"" << _uri.getPath() <<
+        LOG_ERR("copyTo(\"" << _jailedFilePathAnonym << "\", \"" << _uri.getPath() <<
                 "\") failed: " << exc.displayText());
         return StorageBase::SaveResult::FAILED;
     }
@@ -677,13 +679,14 @@ std::string WopiStorage::loadStorageFileToLocal(const Authorization& auth)
         else // Successful
         {
             _jailedFilePath = Poco::Path(getLocalRootPath(), _fileInfo._filename).toString();
+            _jailedFilePathAnonym = LOOLWSD::anonymizeUrl(_jailedFilePath);
             std::ofstream ofs(_jailedFilePath);
             std::copy(std::istreambuf_iterator<char>(rs),
                       std::istreambuf_iterator<char>(),
                       std::ostreambuf_iterator<char>(ofs));
             ofs.close();
             LOG_INF("WOPI::GetFile downloaded " << getFileSize(_jailedFilePath) << " bytes from [" << uriObject.toString() <<
-                    "] -> " << _jailedFilePath << " in " << diff.count() << "s");
+                    "] -> " << _jailedFilePathAnonym << " in " << diff.count() << "s");
 
             _isLoaded = true;
             // Now return the jailed path.
@@ -713,7 +716,7 @@ StorageBase::SaveResult WopiStorage::saveLocalFileToStorage(const Authorization&
     uriObject.setPath(isSaveAs? uriObject.getPath(): uriObject.getPath() + "/contents");
     auth.authorizeURI(uriObject);
 
-    LOG_INF("Uploading URI via WOPI [" << uriObject.toString() << "] from [" << filePath + "].");
+    LOG_INF("Uploading URI via WOPI [" << LOOLWSD::anonymizeUrl(uriObject.toString()) << "] from [" << filePath + "].");
 
     std::ostringstream oss;
     StorageBase::SaveResult saveResult(StorageBase::SaveResult::FAILED);
@@ -792,7 +795,7 @@ StorageBase::SaveResult WopiStorage::saveLocalFileToStorage(const Authorization&
         std::string wopiLog(isSaveAs? "WOPI::PutRelativeFile": "WOPI::PutFile");
         LOG_INF(wopiLog << " response: " << oss.str());
         LOG_INF(wopiLog << " uploaded " << size << " bytes from [" << filePath <<
-                "] -> [" << uriObject.toString() << "]: " <<
+                "] -> [" << LOOLWSD::anonymizeUrl(uriObject.toString()) << "]: " <<
                 response.getStatus() << " " << response.getReason());
 
         if (response.getStatus() == Poco::Net::HTTPResponse::HTTP_OK)
diff --git a/wsd/Storage.hpp b/wsd/Storage.hpp
index e55e3047f..066958990 100644
--- a/wsd/Storage.hpp
+++ b/wsd/Storage.hpp
@@ -183,6 +183,7 @@ protected:
     std::string _localStorePath;
     std::string _jailPath;
     std::string _jailedFilePath;
+    std::string _jailedFilePathAnonym;
     FileInfo _fileInfo;
     bool _isLoaded;
     bool _forceSave;
commit 7847a77181de44397ff1f6455ad371ad37a39d80
Author:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
AuthorDate: Sun Jun 10 14:02:02 2018 -0400
Commit:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
CommitDate: Fri Jun 15 01:18:12 2018 -0400

    kit: anonymize usernames and filenames in Kit
    
    Change-Id: Id7928136db71ded7bf6b1a5e8e387db7251f8a35

diff --git a/common/Util.hpp b/common/Util.hpp
index c9e38d789..fb7f7c27d 100644
--- a/common/Util.hpp
+++ b/common/Util.hpp
@@ -10,6 +10,7 @@
 #ifndef INCLUDED_UTIL_HPP
 #define INCLUDED_UTIL_HPP
 
+#include <cstring>
 #include <atomic>
 #include <cassert>
 #include <cstring>
@@ -224,11 +225,24 @@ namespace Util
         return trimmed(std::string(s));
     }
 
+    /// Return true iff s starts with t.
     inline bool startsWith(const std::string& s, const std::string& t)
     {
         return s.length() >= t.length() && memcmp(s.c_str(), t.c_str(), t.length()) == 0;
     }
 
+    /// Return true iff s starts with t.
+    inline bool startsWith(const std::string& s, const char* t)
+    {
+        if (t != nullptr && !s.empty())
+        {
+            const size_t len = std::strlen(t);
+            return s.length() >= len && memcmp(s.c_str(), t, len) == 0;
+        }
+
+        return false;
+    }
+
     /// Check for the URI scheme validity.
     /// For now just a basic sanity check, can be extended if necessary.
     bool isValidURIScheme(const std::string& scheme);
diff --git a/kit/ChildSession.cpp b/kit/ChildSession.cpp
index 1ba5a08ef..19950fe22 100644
--- a/kit/ChildSession.cpp
+++ b/kit/ChildSession.cpp
@@ -361,16 +361,18 @@ bool ChildSession::loadDocument(const char * /*buffer*/, int /*length*/, const s
 
     std::unique_lock<std::recursive_mutex> lock(Mutex);
 
-    bool loaded = _docManager.onLoad(getId(), _jailedFilePath, _userName,
-            _docPassword, renderOpts, _haveDocPassword, _lang, _watermarkText);
+    const bool loaded = _docManager.onLoad(getId(), _jailedFilePath, _jailedFilePathAnonym,
+                                           _userName, _userNameAnonym,
+                                           _docPassword, renderOpts, _haveDocPassword,
+                                           _lang, _watermarkText);
     if (!loaded || _viewId < 0)
     {
-        LOG_ERR("Failed to get LoKitDocument instance.");
+        LOG_ERR("Failed to get LoKitDocument instance for [" << _jailedFilePathAnonym << "].");
         return false;
     }
 
     LOG_INF("Created new view with viewid: [" << _viewId << "] for username: [" <<
-            _userName << "] in session: [" << getId() << "].");
+            _userNameAnonym << "] in session: [" << getId() << "].");
 
     std::unique_lock<std::mutex> lockLokDoc(_docManager.getDocumentMutex());
 
diff --git a/kit/ChildSession.hpp b/kit/ChildSession.hpp
index d8ae37b10..a5390dff7 100644
--- a/kit/ChildSession.hpp
+++ b/kit/ChildSession.hpp
@@ -40,7 +40,9 @@ public:
     /// Reqest loading a document, or a new view, if one exists.
     virtual bool onLoad(const std::string& sessionId,
                         const std::string& jailedFilePath,
+                        const std::string& jailedFilePathAnonym,
                         const std::string& userName,
+                        const std::string& userNameAnonym,
                         const std::string& docPassword,
                         const std::string& renderOpts,
                         const bool haveDocPassword,
diff --git a/kit/Kit.cpp b/kit/Kit.cpp
index 90b306323..f7a1f5821 100644
--- a/kit/Kit.cpp
+++ b/kit/Kit.cpp
@@ -100,11 +100,16 @@ using Poco::Process;
 #endif
 
 using namespace LOOLProtocol;
+using std::size_t;
 
 // We only host a single document in our lifetime.
 class Document;
 static std::shared_ptr<Document> document;
 static LokHookFunction2* initFunction = nullptr;
+#ifndef BUILDING_TESTS
+static bool AnonymizeFilenames = false;
+static bool AnonymizeUsernames = false;
+#endif
 
 #if ENABLE_DEBUG
 #  define ADD_DEBUG_RENDERID(s) ((s)+ " renderid=" + Util::UniqueId())
@@ -1209,7 +1214,9 @@ private:
     /// Load a document (or view) and register callbacks.
     bool onLoad(const std::string& sessionId,
                 const std::string& uri,
+                const std::string& uriAnonym,
                 const std::string& userName,
+                const std::string& userNameAnonym,
                 const std::string& docPassword,
                 const std::string& renderOpts,
                 const bool haveDocPassword,
@@ -1218,7 +1225,7 @@ private:
     {
         std::unique_lock<std::mutex> lock(_mutex);
 
-        LOG_INF("Loading url [" << uri << "] for session [" << sessionId <<
+        LOG_INF("Loading url [" << uriAnonym << "] for session [" << sessionId <<
                 "] which has " << (_sessions.size() - 1) <<
                 " sessions. Another load in progress: " << _isLoading);
 
@@ -1243,14 +1250,14 @@ private:
 
         try
         {
-            if (!load(session, uri, userName, docPassword, renderOpts, haveDocPassword, lang, watermarkText))
+            if (!load(session, uri, uriAnonym, userName, userNameAnonym, docPassword, renderOpts, haveDocPassword, lang, watermarkText))
             {
                 return false;
             }
         }
         catch (const std::exception& exc)
         {
-            LOG_ERR("Exception while loading url [" << uri <<
+            LOG_ERR("Exception while loading url [" << uriAnonym <<
                     "] for session [" << sessionId << "]: " << exc.what());
             return false;
         }
@@ -1481,7 +1488,9 @@ private:
 
     std::shared_ptr<lok::Document> load(const std::shared_ptr<ChildSession>& session,
                                         const std::string& uri,
+                                        const std::string& uriAnonym,
                                         const std::string& userName,
+                                        const std::string& userNameAnonym,
                                         const std::string& docPassword,
                                         const std::string& renderOpts,
                                         const bool haveDocPassword,
@@ -1495,7 +1504,7 @@ private:
         if (!_loKitDocument)
         {
             // This is the first time we are loading the document
-            LOG_INF("Loading new document from URI: [" << uri << "] for session [" << sessionId << "].");
+            LOG_INF("Loading new document from URI: [" << uriAnonym << "] for session [" << sessionId << "].");
 
             _loKit->registerCallback(GlobalCallback, this);
 
@@ -1517,22 +1526,22 @@ private:
             if (!lang.empty())
                 options = "Language=" + lang;
 
-            LOG_DBG("Calling lokit::documentLoad(" << uri << ", \"" << options << "\").");
+            LOG_DBG("Calling lokit::documentLoad(" << uriAnonym << ", \"" << options << "\").");
             Timestamp timestamp;
             _loKitDocument.reset(_loKit->documentLoad(uri.c_str(), options.c_str()));
-            LOG_DBG("Returned lokit::documentLoad(" << uri << ") in " << (timestamp.elapsed() / 1000.) << "ms.");
+            LOG_DBG("Returned lokit::documentLoad(" << uriAnonym << ") in " << (timestamp.elapsed() / 1000.) << "ms.");
 
             if (!_loKitDocument || !_loKitDocument->get())
             {
-                LOG_ERR("Failed to load: " << uri << ", error: " << _loKit->getError());
+                LOG_ERR("Failed to load: " << uriAnonym << ", error: " << _loKit->getError());
 
                 // Checking if wrong password or no password was reason for failure.
                 if (_isDocPasswordProtected)
                 {
-                    LOG_INF("Document [" << uri << "] is password protected.");
+                    LOG_INF("Document [" << uriAnonym << "] is password protected.");
                     if (!_haveDocPassword)
                     {
-                        LOG_INF("No password provided for password-protected document [" << uri << "].");
+                        LOG_INF("No password provided for password-protected document [" << uriAnonym << "].");
                         std::string passwordFrame = "passwordrequired:";
                         if (_docPasswordType == PasswordType::ToView)
                             passwordFrame += "to-view";
@@ -1542,7 +1551,7 @@ private:
                     }
                     else
                     {
-                        LOG_INF("Wrong password for password-protected document [" << uri << "].");
+                        LOG_INF("Wrong password for password-protected document [" << uriAnonym << "].");
                         session->sendTextFrame("error: cmd=load kind=wrongpassword");
                     }
                 }
@@ -1559,7 +1568,7 @@ private:
         }
         else
         {
-            LOG_INF("Document with url [" << uri << "] already loaded. Need to create new view for session [" << sessionId << "].");
+            LOG_INF("Document with url [" << uriAnonym << "] already loaded. Need to create new view for session [" << sessionId << "].");
 
             // Check if this document requires password
             if (_isDocPasswordProtected)
@@ -1581,17 +1590,17 @@ private:
                 }
             }
 
-            LOG_INF("Creating view to url [" << uri << "] for session [" << sessionId << "].");
+            LOG_INF("Creating view to url [" << uriAnonym << "] for session [" << sessionId << "].");
             _loKitDocument->createView();
-            LOG_TRC("View to url [" << uri << "] created.");
+            LOG_TRC("View to url [" << uriAnonym << "] created.");
         }
 
-        const std::string renderParams = makeRenderParams(_renderOpts, userName);
         LOG_INF("Initializing for rendering session [" << sessionId << "] on document url [" <<
-                _url << "] with: [" << renderParams << "].");
+                _url << "] with: [" << makeRenderParams(_renderOpts, userNameAnonym) << "].");
 
         // initializeForRendering() should be called before
         // registerCallback(), as the previous creates a new view in Impress.
+        const std::string renderParams = makeRenderParams(_renderOpts, userName);
         _loKitDocument->initializeForRendering(renderParams.c_str());
 
         const int viewId = _loKitDocument->getView();
@@ -1974,6 +1983,11 @@ void lokit_main(const std::string& childRoot,
         LOG_INF("Setting log-level to [trace] and delaying setting to configured [" << LogLevel << "] until after Kit initialization.");
     }
 
+    AnonymizeFilenames = std::getenv("LOOL_ANONYMIZE_FILENAMES") != nullptr;
+    LOG_INF("Filename anonymization is " << (AnonymizeFilenames ? "enabled." : "disabled."));
+    AnonymizeUsernames = std::getenv("LOOL_ANONYMIZE_USERNAMES") != nullptr;
+    LOG_INF("Username anonymization is " << (AnonymizeUsernames ? "enabled." : "disabled."));
+
     assert(!childRoot.empty());
     assert(!sysTemplate.empty());
     assert(!loTemplate.empty());
diff --git a/test/WhiteBoxTests.cpp b/test/WhiteBoxTests.cpp
index ba8b1603b..925f9e818 100644
--- a/test/WhiteBoxTests.cpp
+++ b/test/WhiteBoxTests.cpp
@@ -335,7 +335,9 @@ public:
     }
     bool onLoad(const std::string& /*sessionId*/,
                 const std::string& /*jailedFilePath*/,
+                const std::string& /*jailedFilePathAnonym*/,
                 const std::string& /*userName*/,
+                const std::string& /*userNameAnonym*/,
                 const std::string& /*docPassword*/,
                 const std::string& /*renderOpts*/,
                 const bool /*haveDocPassword*/,
commit 879259bb82d2095002252dec7e9ed0118f376e12
Author:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
AuthorDate: Sun Jun 10 11:42:15 2018 -0400
Commit:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
CommitDate: Fri Jun 15 01:18:12 2018 -0400

    wsd: anonymize WOPI::CheckFileInfo
    
    Change-Id: I2c23e9f159456176ae85967cc49ec876b1e4ecf4

diff --git a/wsd/DocumentBroker.cpp b/wsd/DocumentBroker.cpp
index 4bab22b5e..d2cab234b 100644
--- a/wsd/DocumentBroker.cpp
+++ b/wsd/DocumentBroker.cpp
@@ -549,8 +549,8 @@ bool DocumentBroker::load(const std::shared_ptr<ClientSession>& session, const s
         watermarkText = LOOLWSD::OverrideWatermark;
 #endif
 
-    LOG_DBG("Setting username [" << username << "] and userId [" <<
-            userid << "] for session [" << sessionId << "]");
+    LOG_DBG("Setting username [" << LOOLWSD::anonymizeUsername(username) << "] and userId [" <<
+            LOOLWSD::anonymizeUsername(userid) << "] for session [" << sessionId << "]");
     session->setUserId(userid);
     session->setUserName(username);
     session->setUserExtraInfo(userExtraInfo);
diff --git a/wsd/Storage.cpp b/wsd/Storage.cpp
index 0d4aacb61..e56e29c87 100644
--- a/wsd/Storage.cpp
+++ b/wsd/Storage.cpp
@@ -13,6 +13,7 @@
 
 #include <algorithm>
 #include <cassert>
+#include <errno.h>
 #include <fstream>
 #include <iconv.h>
 #include <string>
@@ -48,6 +49,8 @@
 #include "Util.hpp"
 #include "common/FileUtil.hpp"
 
+using std::size_t;
+
 bool StorageBase::FilesystemEnabled;
 bool StorageBase::WopiEnabled;
 Util::RegexListMatcher StorageBase::WopiHosts;
@@ -486,21 +489,23 @@ std::unique_ptr<WopiStorage::WOPIFileInfo> WopiStorage::getWOPIFileInfo(const Au
 
     LOG_DBG("Getting info for wopi uri [" << uriObject.toString() << "].");
 
-    std::string resMsg;
-    const auto startTime = std::chrono::steady_clock::now();
+    std::string wopiResponse;
     std::chrono::duration<double> callDuration(0);
     try
     {
-        std::unique_ptr<Poco::Net::HTTPClientSession> psession(getHTTPClientSession(uriObject));
-
         Poco::Net::HTTPRequest request(Poco::Net::HTTPRequest::HTTP_GET, uriObject.getPathAndQuery(), Poco::Net::HTTPMessage::HTTP_1_1);
         request.set("User-Agent", WOPI_AGENT_STRING);
         auth.authorizeRequest(request);
         addStorageDebugCookie(request);
+
+        const auto startTime = std::chrono::steady_clock::now();
+
+        std::unique_ptr<Poco::Net::HTTPClientSession> psession(getHTTPClientSession(uriObject));
         psession->sendRequest(request);
 
         Poco::Net::HTTPResponse response;
         std::istream& rs = psession->receiveResponse(response);
+
         callDuration = (std::chrono::steady_clock::now() - startTime);
 
         auto logger = Log::trace();
@@ -521,7 +526,7 @@ std::unique_ptr<WopiStorage::WOPIFileInfo> WopiStorage::getWOPIFileInfo(const Au
             throw StorageConnectionException("WOPI::CheckFileInfo failed");
         }
 
-        Poco::StreamCopier::copyToString(rs, resMsg);
+        Poco::StreamCopier::copyToString(rs, wopiResponse);
     }
     catch(const Poco::Exception& pexc)
     {
@@ -551,15 +556,49 @@ std::unique_ptr<WopiStorage::WOPIFileInfo> WopiStorage::getWOPIFileInfo(const Au
     std::string lastModifiedTime;
     bool userCanNotWriteRelative = true;
 
-    LOG_DBG("WOPI::CheckFileInfo returned: " << resMsg << ". Call duration: " << callDuration.count() << "s");
     Poco::JSON::Object::Ptr object;
-    if (parseJSON(resMsg, object))
+    if (parseJSON(wopiResponse, object))
     {
         getWOPIValue(object, "BaseFileName", filename);
-        getWOPIValue(object, "Size", size);
         getWOPIValue(object, "OwnerId", ownerId);
         getWOPIValue(object, "UserId", userId);
         getWOPIValue(object, "UserFriendlyName", userName);
+
+        // Anonymize key values.
+        if (LOOLWSD::AnonymizeFilenames || LOOLWSD::AnonymizeUsernames)
+        {
+            // Set anonymized version of the above fields before logging.
+            // Note: anonymization caches the result, so we don't need to store here.
+            if (LOOLWSD::AnonymizeFilenames)
+                object->set("basefilename", LOOLWSD::anonymizeUrl(filename));
+
+            if (LOOLWSD::AnonymizeUsernames)
+            {
+                object->set("ownerid", LOOLWSD::anonymizeUsername(ownerId));
+                object->set("UserId", LOOLWSD::anonymizeUsername(userId));
+                object->set("UserFriendlyName", LOOLWSD::anonymizeUsername(userName));
+            }
+
+            std::ostringstream oss;
+            object->stringify(oss);
+            wopiResponse = oss.str();
+
+            // Remove them for performance reasons; they aren't needed anymore.
+            if (LOOLWSD::AnonymizeFilenames)
+                object->remove("basefilename");
+
+            if (LOOLWSD::AnonymizeUsernames)
+            {
+                object->remove("ownerid");
+                object->remove("UserId");
+                object->remove("UserFriendlyName");
+            }
+        }
+
+        // Log either an original or anonymized version, depending on anonymization flags.
+        LOG_DBG("WOPI::CheckFileInfo (" << callDuration.count() * 1000. << " ms): " << wopiResponse);
+
+        getWOPIValue(object, "Size", size);
         getWOPIValue(object, "UserExtraInfo", userExtraInfo);
         getWOPIValue(object, "WatermarkText", watermarkText);
         getWOPIValue(object, "UserCanWrite", canWrite);
@@ -577,7 +616,11 @@ std::unique_ptr<WopiStorage::WOPIFileInfo> WopiStorage::getWOPIFileInfo(const Au
     }
     else
     {
-        LOG_ERR("WOPI::CheckFileInfo failed and no JSON payload returned. Access denied.");
+        if (LOOLWSD::AnonymizeFilenames || LOOLWSD::AnonymizeUsernames)
+            LOG_ERR("WOPI::CheckFileInfo failed or no valid JSON payload returned. Access denied.");
+        else
+            LOG_ERR("WOPI::CheckFileInfo failed or no valid JSON payload returned. Access denied. "
+                    "Original response: [" << wopiResponse << "].");
         throw UnauthorizedRequestException("Access denied. WOPI::CheckFileInfo failed on: " + uriObject.toString());
     }
 
commit 83ad2048be82ed0c0187e4744e23aec7602decf4
Author:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
AuthorDate: Sun Jun 10 13:53:39 2018 -0400
Commit:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
CommitDate: Fri Jun 15 01:18:12 2018 -0400

    kit: parse anonymized tokens in doc options
    
    Also optimize the parsing in general.
    
    Change-Id: Id1f5b5c12e867c98e523d1e32397853d7d4a6ee4

diff --git a/common/Session.cpp b/common/Session.cpp
index 6a3dc5852..dc538ca89 100644
--- a/common/Session.cpp
+++ b/common/Session.cpp
@@ -43,6 +43,7 @@
 using namespace LOOLProtocol;
 
 using Poco::Exception;
+using std::size_t;
 
 Session::Session(const std::string& name, const std::string& id, bool readOnly) :
     _id(id),
@@ -86,60 +87,78 @@ void Session::parseDocOptions(const std::vector<std::string>& tokens, int& part,
 
     for (size_t i = offset; i < tokens.size(); ++i)
     {
-        // FIXME use any kind of startsWith() instead of find(...) == 0
-        if (tokens[i].find("url=") == 0)
+        std::string name;
+        std::string value;
+        if (!LOOLProtocol::parseNameValuePair(tokens[i], name, value))
         {
-            _docURL = tokens[i].substr(strlen("url="));
+            LOG_WRN("Unexpected doc options token [" << tokens[i] << "]. Skipping.");
+            continue;
+        }
+
+        if (name == "url")
+        {
+            _docURL = value;
+            ++offset;
+        }
+        else if (name == "jail")
+        {
+            _jailedFilePath = value;
             ++offset;
         }
-        else if (tokens[i].find("jail=") == 0)
+        else if (name == "xjail")
         {
-            _jailedFilePath = tokens[i].substr(strlen("jail="));
+            _jailedFilePathAnonym = value;
             ++offset;
         }
-        else if (tokens[i].find("authorid=") == 0)
+        else if (name == "authorid")
         {
-            const std::string userId = tokens[i].substr(strlen("authorid="));
-            Poco::URI::decode(userId, _userId);
+            Poco::URI::decode(value, _userId);
             ++offset;
         }
-        else if (tokens[i].find("author=") == 0)
+        else if (name == "xauthorid")
         {
-            const std::string userName = tokens[i].substr(strlen("author="));
-            Poco::URI::decode(userName, _userName);
+            Poco::URI::decode(value, _userIdAnonym);
             ++offset;
         }
-        else if (tokens[i].find("authorextrainfo=") == 0)
+        else if (name == "author")
         {
-            const std::string userExtraInfo= tokens[i].substr(strlen("authorextrainfo="));
-            Poco::URI::decode(userExtraInfo, _userExtraInfo);
+            Poco::URI::decode(value, _userName);
             ++offset;
         }
-        else if (tokens[i].find("readonly=") == 0)
+        else if (name == "xauthor")
         {
-            _isReadOnly = tokens[i].substr(strlen("readonly=")) != "0";
+            Poco::URI::decode(value, _userNameAnonym);
             ++offset;
         }
-        else if (tokens[i].find("timestamp=") == 0)
+        else if (name == "authorextrainfo")
         {
-            timestamp = tokens[i].substr(strlen("timestamp="));
+            Poco::URI::decode(value, _userExtraInfo);
             ++offset;
         }
-        else if (tokens[i].find("password=") == 0)
+        else if (name == "readonly")
         {
-            _docPassword = tokens[i].substr(strlen("password="));
+            _isReadOnly = value != "0";
+            ++offset;
+        }
+        else if (name == "password")
+        {
+            _docPassword = value;
             _haveDocPassword = true;
             ++offset;
         }
-        else if (tokens[i].find("lang=") == 0)
+        else if (name == "lang")
+        {
+            _lang = value;
+            ++offset;
+        }
+        else if (name == "watermarkText")
         {
-            _lang = tokens[i].substr(strlen("lang="));
+            Poco::URI::decode(value, _watermarkText);
             ++offset;
         }
-        else if (tokens[i].find("watermarkText=") == 0)
+        else if (name == "timestamp")
         {
-            const std::string watermarkText = tokens[i].substr(strlen("watermarkText="));
-            Poco::URI::decode(watermarkText, _watermarkText);
+            timestamp = value;
             ++offset;
         }
     }
diff --git a/common/Session.hpp b/common/Session.hpp
index 645ec3c51..9fa9833a0 100644
--- a/common/Session.hpp
+++ b/common/Session.hpp
@@ -88,7 +88,8 @@ protected:
     Session(const std::string& name, const std::string& id, bool readonly);
     virtual ~Session();
 
-    /// Parses the options of the "load" command, shared between MasterProcessSession::loadDocument() and ChildProcessSession::loadDocument().
+    /// Parses the options of the "load" command,
+    /// shared between MasterProcessSession::loadDocument() and ChildProcessSession::loadDocument().
     void parseDocOptions(const std::vector<std::string>& tokens, int& part, std::string& timestamp);
 
     void updateLastActivityTime()
@@ -137,6 +138,9 @@ protected:
     /// The Jailed document path.
     std::string _jailedFilePath;
 
+    /// The Jailed document path, anonymized for logging.
+    std::string _jailedFilePathAnonym;
+
     /// Password provided, if any, to open the document
     std::string _docPassword;
 
@@ -149,12 +153,18 @@ protected:
     /// Document options: a JSON string, containing options (rendering, also possibly load in the future).
     std::string _docOptions;
 
-    /// Id of the user to whom the session belongs to
+    /// Id of the user to whom the session belongs to.
     std::string _userId;
 
-    /// Name of the user to whom the session belongs to
+    /// Id of the user to whom the session belongs to, anonymized for logging.
+    std::string _userIdAnonym;
+
+    /// Name of the user to whom the session belongs to.
     std::string _userName;
 
+    /// Name of the user to whom the session belongs to, anonymized for logging.
+    std::string _userNameAnonym;
+
     /// Extra info per user, mostly mail, avatar, links, etc.
     std::string _userExtraInfo;
 
commit 590454ec8765aade93be72068ef609a9a8ec9e34
Author:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
AuthorDate: Sun Jun 10 11:41:17 2018 -0400
Commit:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
CommitDate: Fri Jun 15 01:18:12 2018 -0400

    wsd: anonymize load command sent to Kit
    
    Change-Id: Ic509ceb5c38bc50152f1d00bd5718089fe664ac1

diff --git a/wsd/ClientSession.cpp b/wsd/ClientSession.cpp
index b0e0d85fd..010e927fa 100644
--- a/wsd/ClientSession.cpp
+++ b/wsd/ClientSession.cpp
@@ -302,24 +302,26 @@ bool ClientSession::loadDocument(const char* /*buffer*/, int /*length*/,
 
         std::ostringstream oss;
         oss << "load";
-        oss << " url=" << docBroker->getPublicUri().toString();
+        oss << " url=" << docBroker->getPublicUri().toString();;
 
         if (!_userId.empty() && !_userName.empty())
         {
             std::string encodedUserId;
             Poco::URI::encode(_userId, "", encodedUserId);
             oss << " authorid=" << encodedUserId;
+            oss << " xauthorid=" << LOOLWSD::anonymizeUsername(encodedUserId);
 
             std::string encodedUserName;
             Poco::URI::encode(_userName, "", encodedUserName);
             oss << " author=" << encodedUserName;
+            oss << " xauthor=" << LOOLWSD::anonymizeUsername(encodedUserName);
         }
 
         if (!_userExtraInfo.empty())
         {
             std::string encodedUserExtraInfo;
             Poco::URI::encode(_userExtraInfo, "", encodedUserExtraInfo);
-            oss << " authorextrainfo=" << encodedUserExtraInfo;
+            oss << " authorextrainfo=" << encodedUserExtraInfo; //TODO: could this include PII?
         }
 
         oss << " readonly=" << isReadOnly();
diff --git a/wsd/DocumentBroker.cpp b/wsd/DocumentBroker.cpp
index dca3ddfc6..4bab22b5e 100644
--- a/wsd/DocumentBroker.cpp
+++ b/wsd/DocumentBroker.cpp
@@ -659,8 +659,9 @@ bool DocumentBroker::load(const std::shared_ptr<ClientSession>& session, const s
 
         // LibreOffice can't open files with '#' in the name
         std::string localPathEncoded;
-        Poco::URI::encode(localPath,"#",localPathEncoded);
-        _uriJailed = Poco::URI(Poco::URI("file://"), localPathEncoded);
+        Poco::URI::encode(localPath, "#", localPathEncoded);
+        _uriJailed = Poco::URI(Poco::URI("file://"), localPathEncoded).toString();
+        _uriJailedAnonym = Poco::URI(Poco::URI("file://"), LOOLWSD::anonymizeUrl(localPathEncoded)).toString();
 
         _filename = fileInfo._filename;
 
@@ -1470,8 +1471,9 @@ bool DocumentBroker::forwardToChild(const std::string& viewId, const std::string
         {
             // The json options must come last.
             msg = tokens[0] + ' ' + tokens[1] + ' ' + tokens[2];
-            msg += " jail=" + _uriJailed.toString() + ' ';
-            msg += Poco::cat(std::string(" "), tokens.begin() + 3, tokens.end());
+            msg += " jail=" + _uriJailed;
+            msg += " xjail=" + _uriJailedAnonym;
+            msg += ' ' + Poco::cat(std::string(" "), tokens.begin() + 3, tokens.end());
         }
 
         _childProcess->sendTextFrame(msg);
@@ -1658,7 +1660,7 @@ void DocumentBroker::dumpState(std::ostream& os)
     os << "\n  jail id: " << _jailId;
     os << "\n  filename: " << _filename;
     os << "\n  public uri: " << _uriPublic.toString();
-    os << "\n  jailed uri: " << _uriJailed.toString();
+    os << "\n  jailed uri: " << _uriJailed;
     os << "\n  doc key: " << _docKey;
     os << "\n  doc id: " << _docId;
     os << "\n  num sessions: " << _sessions.size();
diff --git a/wsd/DocumentBroker.hpp b/wsd/DocumentBroker.hpp
index 443d8ab52..f1ebef749 100644
--- a/wsd/DocumentBroker.hpp
+++ b/wsd/DocumentBroker.hpp
@@ -257,7 +257,6 @@ public:
     bool autoSave(const bool force);
 
     Poco::URI getPublicUri() const { return _uriPublic; }
-    Poco::URI getJailedUri() const { return _uriJailed; }
     const std::string& getJailId() const { return _jailId; }
     const std::string& getDocKey() const { return _docKey; }
     const std::string& getFilename() const { return _filename; };
@@ -402,7 +401,8 @@ private:
     const std::string _childRoot;
     const std::string _cacheRoot;
     std::shared_ptr<ChildProcess> _childProcess;
-    Poco::URI _uriJailed;
+    std::string _uriJailed;
+    std::string _uriJailedAnonym;
     std::string _jailId;
     std::string _filename;
 
commit a828eb9a1e05b429d136723698f996d240f21c99
Author:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
AuthorDate: Sun Jun 10 11:35:59 2018 -0400
Commit:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
CommitDate: Fri Jun 15 01:18:12 2018 -0400

    wsd: add anonymization helpers
    
    Change-Id: Ic479218ab1b6e580c288a984f35795e1d0d6e8ad

diff --git a/common/Util.cpp b/common/Util.cpp
index ca78e5bf5..30fbc20fe 100644
--- a/common/Util.cpp
+++ b/common/Util.cpp
@@ -542,6 +542,59 @@ namespace Util
 
         return true;
     }
+
+    static std::map<std::string, std::string> AnonymizedStrings;
+    static std::atomic<unsigned> AnonymizationSalt(0);
+
+    std::string anonymize(const std::string& text)
+    {
+        const auto it = AnonymizedStrings.find(text);
+        if (it != AnonymizedStrings.end())
+            return it->second;
+
+        // We just need something irreversible, short, and
+        // quite simple.
+        std::size_t hash = 0;
+        for (const char c : text)
+            hash += c;
+
+        // Generate the anonymized string. The '#' is to hint that it's anonymized.
+        // Prepend with salt to make it unique, in case we get collisions (which we will, eventually).
+        const std::string res = '#' + Util::encodeId(AnonymizationSalt++, 0) + '#' + Util::encodeId(hash, 0) + '#';
+        AnonymizedStrings[text] = res;
+        return res;
+    }
+
+    static std::string anonymizeFilename(const std::string& filename)
+    {
+        // Preserve the extension.
+        std::string basename;
+        std::string ext;
+        const std::size_t mid = filename.find_last_of('.');
+        if (mid != std::string::npos)
+        {
+            basename = filename.substr(0, mid);
+            ext = filename.substr(mid);
+        }
+        else
+            basename = filename;
+
+        return Util::anonymize(basename) + ext;
+    }
+
+    std::string anonymizeUrl(const std::string& url)
+    {
+        const std::size_t mid = url.find_last_of('/');
+        if (mid != std::string::npos)
+        {
+            const std::string path = url.substr(0, mid + 1);
+            const std::string filename = url.substr(mid + 1);
+            return path + Util::anonymizeFilename(filename);
+        }
+
+        // No path, treat as filename only.
+        return Util::anonymizeFilename(url);
+    }
 }
 
 /* vim:set shiftwidth=4 softtabstop=4 expandtab: */
diff --git a/common/Util.hpp b/common/Util.hpp
index f90081730..c9e38d789 100644
--- a/common/Util.hpp
+++ b/common/Util.hpp
@@ -237,6 +237,13 @@ namespace Util
     /// For now just a basic sanity check, can be extended if necessary.
     bool isValidURIHost(const std::string& host);
 
+    /// Anonymize a sensitive string to avoid leaking it.
+    /// Called on strings to be logged or exposed.
+    std::string anonymize(const std::string& text);
+
+    /// Anonymize the basename of filenames only, preserving the path and extension.
+    std::string anonymizeUrl(const std::string& url);
+
     /// Given one or more patterns to allow, and one or more to deny,
     /// the match member will return true if, and only if, the subject
     /// matches the allowed list, but not the deny.
diff --git a/wsd/LOOLWSD.hpp b/wsd/LOOLWSD.hpp
index 8c59d3f51..85dd87a10 100644
--- a/wsd/LOOLWSD.hpp
+++ b/wsd/LOOLWSD.hpp
@@ -144,6 +144,18 @@ public:
     /// Autosave a given document
     static void autoSave(const std::string& docKey);
 
+    /// Anonymize the basename of filenames, preserving the path and extension.
+    static std::string anonymizeUrl(const std::string& url)
+    {
+        return AnonymizeFilenames ? Util::anonymizeUrl(url) : url;
+    }
+
+    /// Anonymize usernames.
+    static std::string anonymizeUsername(const std::string& username)
+    {
+        return AnonymizeUsernames ? Util::anonymize(username) : username;
+    }
+
 protected:
     void initialize(Poco::Util::Application& self) override;
     void defineOptions(Poco::Util::OptionSet& options) override;
commit 52c706993119bc822277b94b5a29e03715ac925e
Author:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
AuthorDate: Wed Jun 6 21:34:51 2018 -0400
Commit:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
CommitDate: Fri Jun 15 01:18:12 2018 -0400

    wsd: demote socket write logs to trace level
    
    They are only informative when the actual data
    is also logged, which is on the trace-level only.
    
    Change-Id: I7e45f2a4f14638783a65cb3a4eb132438d9125b8

diff --git a/wsd/ClientSession.cpp b/wsd/ClientSession.cpp
index 77a6e075a..b0e0d85fd 100644
--- a/wsd/ClientSession.cpp
+++ b/wsd/ClientSession.cpp
@@ -528,7 +528,7 @@ int ClientSession::getPollEvents(std::chrono::steady_clock::time_point /* now */
 
 void ClientSession::performWrites()
 {
-    LOG_DBG(getName() << " ClientSession: performing writes");
+    LOG_TRC(getName() << " ClientSession: performing writes.");
 
     std::shared_ptr<Message> item;
     if (_senderQueue.dequeue(item))
@@ -552,7 +552,7 @@ void ClientSession::performWrites()
         }
     }
 
-    LOG_DBG(getName() << " ClientSession: performed write");
+    LOG_TRC(getName() << " ClientSession: performed write.");
 }
 
 bool ClientSession::handleKitToClientMessage(const char* buffer, const int length)
commit a99f74e60685b0c9d654dbd097102b9b6ec4f654
Author:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
AuthorDate: Sun Jun 3 18:17:33 2018 -0400
Commit:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
CommitDate: Fri Jun 15 01:18:06 2018 -0400

    wsd: support anonymization settings
    
    Check and fail to start if anonymization is enabled
    and trace-level logging is requested. Since trace
    may include data packets, which is hard to anonymize and
    is likely to impact performance if attempted, it is best
    to prevent tracing altogether.
    
    Also, sort the default settings for better readability.
    
    Change-Id: Ic83f1f2fda15e2146a5d970f03617fa460d9cbc7

diff --git a/kit/ForKit.cpp b/kit/ForKit.cpp
index 7d14663f6..d77c01c30 100644
--- a/kit/ForKit.cpp
+++ b/kit/ForKit.cpp
@@ -388,7 +388,7 @@ int main(int argc, char** argv)
     LogLevel = logLevel ? logLevel : "trace";
     if (LogLevel != "trace")
     {
-        LOG_INF("Setting log-level to [trace] and delaying setting to requested [" << LogLevel << "].");
+        LOG_INF("Setting log-level to [trace] and delaying setting to configured [" << LogLevel << "] until after Forkit initialization.");
     }
 
     std::string childRoot;
@@ -549,7 +549,7 @@ int main(int argc, char** argv)
     ::unsetenv("LOOL_TRACE_STARTUP");
     if (LogLevel != "trace")
     {
-        LOG_INF("Setting log-level to [" << LogLevel << "].");
+        LOG_INF("Forkit initialization complete: setting log-level to [" << LogLevel << "] as configured.");
         Log::logger().setLevel(LogLevel);
     }
 
diff --git a/kit/Kit.cpp b/kit/Kit.cpp
index 374025a8d..90b306323 100644
--- a/kit/Kit.cpp
+++ b/kit/Kit.cpp
@@ -1971,7 +1971,7 @@ void lokit_main(const std::string& childRoot,
     Log::initialize("kit", bTraceStartup ? "trace" : logLevel, logColor != nullptr, logToFile, logProperties);
     if (bTraceStartup && LogLevel != "trace")
     {
-        LOG_INF("Setting log-level to [trace] and delaying setting to requested [" << LogLevel << "].");
+        LOG_INF("Setting log-level to [trace] and delaying setting to configured [" << LogLevel << "] until after Kit initialization.");
     }
 
     assert(!childRoot.empty());
@@ -2195,7 +2195,7 @@ void lokit_main(const std::string& childRoot,
 
         if (bTraceStartup && LogLevel != "trace")
         {
-            LOG_INF("Setting log-level to [" << LogLevel << "].");
+            LOG_INF("Kit initialization complete: setting log-level to [" << LogLevel << "] as configured.");
             Log::logger().setLevel(LogLevel);
         }
 
diff --git a/wsd/LOOLWSD.cpp b/wsd/LOOLWSD.cpp
index 8d7341be7..59d3025da 100644
--- a/wsd/LOOLWSD.cpp
+++ b/wsd/LOOLWSD.cpp
@@ -587,6 +587,8 @@ std::string LOOLWSD::LOKitVersion;
 std::string LOOLWSD::ConfigFile = LOOLWSD_CONFIGDIR "/loolwsd.xml";
 std::string LOOLWSD::ConfigDir = LOOLWSD_CONFIGDIR "/conf.d";
 std::string LOOLWSD::LogLevel = "trace";
+bool LOOLWSD::AnonymizeFilenames = false;
+bool LOOLWSD::AnonymizeUsernames = false;
 Util::RuntimeConstant<bool> LOOLWSD::SSLEnabled;
 Util::RuntimeConstant<bool> LOOLWSD::SSLTermination;
 std::set<std::string> LOOLWSD::EditFileExtensions;
@@ -656,61 +658,65 @@ void LOOLWSD::initialize(Application& self)
 
     // Add default values of new entries here.
     static const std::map<std::string, std::string> DefAppConfig
-        = { { "allowed_languages", "de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru" },
-            { "tile_cache_path", LOOLWSD_CACHEDIR },
-            { "tile_cache_persistent", "true" },
-            { "sys_template_path", "systemplate" },
-            { "lo_template_path", LO_PATH },
+        = {
+            { "admin_console.enable_pam", "false"},
+            { "allowed_languages", "de_DE en_GB en_US es_ES fr_FR it nl pt_BR pt_PT ru" },
             { "child_root_path", "jails" },
-            { "lo_jail_subpath", "lo" },
-            { "server_name", "" },
             { "file_server_root_path", "loleaflet/.." },
+            { "lo_jail_subpath", "lo" },
+            { "lo_template_path", LO_PATH },
+            { "logging.anonymize.filenames", "false" },
+            { "logging.anonymize.usernames", "false" },
+            { "logging.color", "true" },
+            { "logging.file.property[0]", "loolwsd.log" },
+            { "logging.file.property[0][@name]", "path" },
+            { "logging.file.property[1]", "never" },
+            { "logging.file.property[1][@name]", "rotation" },
+            { "logging.file.property[2]", "true" },
+            { "logging.file.property[2][@name]", "compress" },
+            { "logging.file.property[3]", "false" },
+            { "logging.file.property[3][@name]", "flush" },
+            { "logging.file[@enable]", "false" },
+            { "logging.level", "trace" },
+            { "loleaflet_html", "loleaflet.html" },
+            { "loleaflet_logging", "false" },
+            { "net.proto", "all" },
             { "num_prespawn_children", "1" },
-            { "per_document.max_concurrency", "4" },
+            { "per_document.autosave_duration_secs", "300" },
             { "per_document.idle_timeout_secs", "3600" },
             { "per_document.idlesave_duration_secs", "30" },
-            { "per_document.autosave_duration_secs", "300" },
-            { "per_document.limit_virt_mem_mb", "0" },
-            { "per_document.limit_stack_mem_kb", "8000" },
             { "per_document.limit_file_size_mb", "0" },
             { "per_document.limit_num_open_files", "0" },
-            { "per_view.out_of_focus_timeout_secs", "60" },
+            { "per_document.limit_stack_mem_kb", "8000" },
+            { "per_document.limit_virt_mem_mb", "0" },
+            { "per_document.max_concurrency", "4" },
             { "per_view.idle_timeout_secs", "900" },
-            { "loleaflet_html", "loleaflet.html" },
-            { "logging.color", "true" },
-            { "logging.level", "trace" },
-            { "loleaflet_logging", "false" },
-            { "net.proto", "all" },
-            { "ssl.enable", "true" },
-            { "ssl.termination", "true" },
-            { "ssl.cert_file_path", LOOLWSD_CONFIGDIR "/cert.pem" },
-            { "ssl.key_file_path", LOOLWSD_CONFIGDIR "/key.pem" },
+            { "per_view.out_of_focus_timeout_secs", "60" },
+            { "security.capabilities", "true" },
+            { "security.seccomp", "true" },
+            { "server_name", "" },
             { "ssl.ca_file_path", LOOLWSD_CONFIGDIR "/ca-chain.cert.pem" },
-            { "ssl.hpkp[@enable]", "false" },
-            { "ssl.hpkp[@report_only]", "false" },
+            { "ssl.cert_file_path", LOOLWSD_CONFIGDIR "/cert.pem" },
+            { "ssl.enable", "true" },
             { "ssl.hpkp.max_age[@enable]", "true" },
             { "ssl.hpkp.report_uri[@enable]", "false" },
-            { "security.seccomp", "true" },
-            { "security.capabilities", "true" },
+            { "ssl.hpkp[@enable]", "false" },
+            { "ssl.hpkp[@report_only]", "false" },
+            { "ssl.key_file_path", LOOLWSD_CONFIGDIR "/key.pem" },
+            { "ssl.termination", "true" },
             { "storage.filesystem[@allow]", "false" },
-            { "storage.wopi[@allow]", "true" },
-            { "storage.wopi.host[0][@allow]", "true" },
+            { "storage.webdav[@allow]", "false" },
             { "storage.wopi.host[0]", "localhost" },
+            { "storage.wopi.host[0][@allow]", "true" },
             { "storage.wopi.max_file_size", "0" },
-            { "storage.webdav[@allow]", "false" },
-            { "logging.file[@enable]", "false" },
-            { "logging.file.property[0][@name]", "path" },
-            { "logging.file.property[0]", "loolwsd.log" },
-            { "logging.file.property[1][@name]", "rotation" },
-            { "logging.file.property[1]", "never" },
-            { "logging.file.property[2][@name]", "compress" },
-            { "logging.file.property[2]", "true" },
-            { "logging.file.property[3][@name]", "flush" },
-            { "logging.file.property[3]", "false" },
-            { "trace[@enable]", "false" },
+            { "storage.wopi[@allow]", "true" },
+            { "sys_template_path", "systemplate" },
+            { "tile_cache_path", LOOLWSD_CACHEDIR },
+            { "tile_cache_persistent", "true" },
             { "trace.path[@compress]", "true" },
             { "trace.path[@snapshot]", "false" },
-            { "admin_console.enable_pam", "false"} };
+            { "trace[@enable]", "false" }
+          };
 
     // Set default values, in case they are missing from the config file.
     AutoPtr<AppConfigMap> defConfig(new AppConfigMap(DefAppConfig));
@@ -755,6 +761,21 @@ void LOOLWSD::initialize(Application& self)
         setenv("LOOL_LOGCOLOR", "1", true);
     }
 
+    // Get anonymization settings.
+    AnonymizeFilenames = getConfigValue<bool>(conf, "logging.anonymize.filenames", false);
+    setenv("LOOL_ANONYMIZE_FILENAMES", AnonymizeFilenames ? "1" : "0", true);
+    AnonymizeUsernames = getConfigValue<bool>(conf, "logging.anonymize.usernames", false);
+    setenv("LOOL_ANONYMIZE_USERNAMES", AnonymizeUsernames ? "1" : "0", true);
+    if (AnonymizeFilenames || AnonymizeUsernames)
+    {
+        if (LogLevel == "trace")
+        {
+            LOG_FTL("Anonymization and trace-level logging are incompatible. "
+                    "Please reduce logging level to debug or lower to prevent leaking sensitive user data.");
+            _exit(Application::EXIT_SOFTWARE);
+        }
+    }
+
     const auto logToFile = getConfigValue<bool>(conf, "logging.file[@enable]", false);
     std::map<std::string, std::string> logProperties;
     for (size_t i = 0; ; ++i)
@@ -790,7 +811,7 @@ void LOOLWSD::initialize(Application& self)
     Log::initialize("wsd", "trace", withColor, logToFile, logProperties);
     if (LogLevel != "trace")
     {
-        LOG_INF("Setting log-level to [trace] and delaying setting to requested [" << LogLevel << "].");
+        LOG_INF("Setting log-level to [trace] and delaying setting to configured [" << LogLevel << "] until after WSD initialization.");
     }
 
     {
@@ -2804,7 +2825,7 @@ int LOOLWSD::innerMain()
 
     if (LogLevel != "trace")
     {
-        LOG_INF("Setting log-level to [" << LogLevel << "].");
+        LOG_INF("WSD initialization complete: setting log-level to [" << LogLevel << "] as configured.");
         Log::logger().setLevel(LogLevel);
     }
 
diff --git a/wsd/LOOLWSD.hpp b/wsd/LOOLWSD.hpp
index b2ec7ef41..8c59d3f51 100644
--- a/wsd/LOOLWSD.hpp
+++ b/wsd/LOOLWSD.hpp
@@ -59,6 +59,8 @@ public:
     static std::string FileServerRoot;
     static std::string LOKitVersion;
     static std::string LogLevel;
+    static bool AnonymizeFilenames;
+    static bool AnonymizeUsernames;
     static std::atomic<unsigned> NumConnections;
     static bool TileCachePersistent;
     static std::unique_ptr<TraceFileWriter> TraceDumper;
commit 519612e3fcb881c3f08c115c6914818ed395c954
Author:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
AuthorDate: Sun Jun 3 14:02:44 2018 -0400
Commit:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
CommitDate: Fri Jun 15 01:08:04 2018 -0400

    wsd: anonymization config and settings for username/filename
    
    Change-Id: I9d7ce87b5f7d204b503d467959de008326b3411c

diff --git a/configure.ac b/configure.ac
index db1ccc061..4635514a4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -52,6 +52,14 @@ AC_ARG_ENABLE([debug],
               AS_HELP_STRING([--enable-debug],
                              [Enable debugging, link with debugging version of Poco libraries]))
 
+AC_ARG_ENABLE([anonymize-usernames],
+              AS_HELP_STRING([--enable-anonymize-usernames],
+                             [Enable anonymization/obfuscation of usernames in logs]))
+
+AC_ARG_ENABLE([anonymize-filenames],
+              AS_HELP_STRING([--enable-anonymize-filenames],
+                             [Enable anonymization/obfuscation of filenames in logs]))
+
 AC_ARG_ENABLE([seccomp],
               AS_HELP_STRING([--disable-seccomp],
                              [Disable use of linux/seccomp.h header when kernel on target system does not support it.
@@ -126,6 +134,8 @@ ENABLE_DEBUG=
 LOOLWSD_LOGLEVEL="warning"
 LOOLWSD_LOG_TO_FILE="false"
 LOOLWSD_LOGFILE="/var/log/loolwsd.log"
+LOOLWSD_ANONYMIZE_FILENAMES=false
+LOOLWSD_ANONYMIZE_USERNAMES=false
 LOLEAFLET_LOGGING="false"
 debug_msg="secure mode: product build"
 if test "$enable_debug" = "yes"; then
@@ -134,6 +144,8 @@ if test "$enable_debug" = "yes"; then
    LOOLWSD_LOGLEVEL="trace"
    LOOLWSD_LOG_TO_FILE="true"
    LOOLWSD_LOGFILE="/tmp/loolwsd.log"
+   LOOLWSD_ANONYMIZE_FILENAMES=false
+   LOOLWSD_ANONYMIZE_USERNAMES=false
    LOLEAFLET_LOGGING="true"
    debug_msg="low security debugging mode"
 else
@@ -149,6 +161,16 @@ if test -n "$with_logfile" ; then
 fi
 AC_SUBST(LOOLWSD_LOGFILE)
 
+if test -n "$enable_anonymize_filenames" ; then
+   LOOLWSD_ANONYMIZE_FILENAMES=true
+fi
+AC_SUBST(LOOLWSD_ANONYMIZE_FILENAMES)
+
+if test -n "$enable_anonymize_usernames" ; then
+   LOOLWSD_ANONYMIZE_USERNAMES=true
+fi
+AC_SUBST(LOOLWSD_ANONYMIZE_USERNAMES)
+
 MAX_CONNECTIONS=20
 AS_IF([test -n "$with_max_connections" && test "$with_max_connections" -gt "0"],
       [MAX_CONNECTIONS="$with_max_connections"])
diff --git a/loolwsd.xml.in b/loolwsd.xml.in
index 1d5ac8dc1..1f9fcff62 100644
--- a/loolwsd.xml.in
+++ b/loolwsd.xml.in
@@ -48,6 +48,10 @@
             <property name="rotateOnOpen" desc="Enable/disable log file rotation on opening.">true</property>
             <property name="flush" desc="Enable/disable flushing after logging each line. May harm performance. Note that without flushing after each line, the log lines from the different processes will not appear in chronological order.">false</property>
         </file>
+        <anonymize>
+            <filenames type="bool" desc="Enable to anonymize/obfuscate filenames in logs. If default is true, it was forced at compile-time and cannot be disabled." default="@LOOLWSD_ANONYMIZE_FILENAMES@">@LOOLWSD_ANONYMIZE_FILENAMES@</filenames>
+            <usernames type="bool" desc="Enable to anonymize/obfuscate usernames in logs. If default is true, it was forced at compile-time and cannot be disabled." default="@LOOLWSD_ANONYMIZE_USERNAMES@">@LOOLWSD_ANONYMIZE_USERNAMES@</usernames>
+        </anonymize>
     </logging>
 
     <loleaflet_logging desc="Logging in the browser console" default="@LOLEAFLET_LOGGING@">@LOLEAFLET_LOGGING@</loleaflet_logging>
commit cd199dc831a56de2ab09c5ee730e14176d3e7622
Author:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
AuthorDate: Mon Jun 4 16:47:39 2018 -0400
Commit:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
CommitDate: Fri Jun 15 01:08:04 2018 -0400

    wsd: always use signal-safe calls
    
    The async-signal-safe functions to get thread-id
    and thread-name, which cache the results, are
    faster, cleaner, and signal-safe. No reason why
    we shouldn't always use them.
    
    Especially since it appears the logic was
    inverted in Log::prefix, such that the signal
    un-safe calls were made during signal-handling,
    and the safe ones were called otherwise!
    
    Instead of passing the signal-safe flag to
    Log::prefix, we pass the buffer size, for
    improved security.
    
    Furthermore, reduce header dependencies
    and reduce clutter.
    
    Change-Id: I697689b2f0a290b6d8cce4babc3ac1e576141da6

diff --git a/common/Log.cpp b/common/Log.cpp
index 78802d4c9..1d4d36d39 100644
--- a/common/Log.cpp
+++ b/common/Log.cpp
@@ -9,12 +9,11 @@
 
 #include "config.h"
 
-#include <sys/prctl.h>
-#include <sys/syscall.h>
-#include <unistd.h>
+#include "Log.hpp"
 
 #include <atomic>
 #include <cassert>
+#include <cstring>
 #include <ctime>
 #include <iomanip>
 #include <sstream>
@@ -30,7 +29,6 @@
 #include <Poco/Thread.h>
 #include <Poco/Timestamp.h>
 
-#include "Log.hpp"
 #include "Util.hpp"
 
 static char LogPrefix[256] = { '\0' };
@@ -62,7 +60,7 @@ namespace Log
     {
         while (true)
         {
-            const int length = strlen(message);
+            const int length = std::strlen(message);
             const int written = write (STDERR_FILENO, message, length);
             if (written < 0)
             {
@@ -80,7 +78,7 @@ namespace Log
 
     // We need a signal safe means of writing messages
     //   $ man 7 signal
-    void signalLogNumber(size_t num)
+    void signalLogNumber(std::size_t num)
     {
         int i;
         char buf[22];
@@ -93,26 +91,13 @@ namespace Log
         signalLog(buf + i + 1);
     }
 
-    char* prefix(char* buffer, const char* level, bool sigSafe)
+    char* prefix(char* buffer, const std::size_t len, const char* level)
     {
-        long osTid;
-        char procName[32];
-        const char *threadName = procName;
-        if (sigSafe)
-        {
-            osTid = syscall(SYS_gettid);
-
-            if (prctl(PR_GET_NAME, reinterpret_cast<unsigned long>(procName), 0, 0, 0) != 0)
-                strncpy(procName, "<noid>", sizeof(procName) - 1);
-        }
-        else
-        {
-            osTid = Util::getThreadId();
-            threadName = Util::getThreadName();
-        }
+        const long osTid = Util::getThreadId();
+        const char *threadName = Util::getThreadName();
 
         Poco::DateTime time;
-        snprintf(buffer, 1023, "%s-%.05lu %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.6u [ %s ] %s  ",
+        snprintf(buffer, len, "%s-%.05lu %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.6u [ %s ] %s  ",
                     (Source.inited ? Source.id.c_str() : "<shutdown>"),
                     osTid,
                     time.year(), time.month(), time.day(),
@@ -125,7 +110,7 @@ namespace Log
     void signalLogPrefix()
     {
         char buffer[1024];
-        prefix(buffer, "SIG", true);
+        prefix(buffer, sizeof(buffer) - 1, "SIG");
         signalLog(buffer);
     }
 
@@ -140,7 +125,7 @@ namespace Log
         oss << Source.name << '-'
             << std::setw(5) << std::setfill('0') << Poco::Process::id();
         Source.id = oss.str();
-        assert (sizeof (LogPrefix) > strlen(oss.str().c_str()) + 1);
+        assert (sizeof (LogPrefix) > std::strlen(oss.str().c_str()) + 1);
         strncpy(LogPrefix, oss.str().c_str(), sizeof(LogPrefix));
 
         // Configure the logger.
diff --git a/common/Log.hpp b/common/Log.hpp
index 90ed1a7dc..152fea1b4 100644
--- a/common/Log.hpp
+++ b/common/Log.hpp
@@ -10,9 +10,6 @@
 #ifndef INCLUDED_LOG_HPP
 #define INCLUDED_LOG_HPP
 
-#include <sys/syscall.h>
-#include <unistd.h>
-
 #include <functional>
 #include <sstream>
 #include <string>
@@ -38,7 +35,7 @@ namespace Log
                     std::map<std::string, std::string> config);
     Poco::Logger& logger();
 
-    char* prefix(char* buffer, const char* level, bool sigSafe);
+    char* prefix(char* buffer, std::size_t len, const char* level);
 
     inline bool traceEnabled() { return logger().trace(); }
     inline bool debugEnabled() { return logger().debug(); }
@@ -52,7 +49,7 @@ namespace Log
     /// Signal safe logging
     void signalLog(const char* message);
     /// Signal log number
-    void signalLogNumber(size_t num);
+    void signalLogNumber(std::size_t num);
 
     /// The following is to write streaming logs.
     /// Log::info() << "Value: 0x" << std::hex << value
@@ -80,7 +77,7 @@ namespace Log
             _enabled(true)
         {
             char buffer[1024];
-            _stream << prefix(buffer, level, syscall(SYS_gettid));
+            _stream << prefix(buffer, sizeof(buffer) - 1, level);
         }
 
         StreamLogger(StreamLogger&& sl) noexcept
@@ -196,13 +193,13 @@ namespace Log
         LOG.flush();                                \
     } while (false)
 
-#define LOG_BODY_(LOG, PRIO, LVL, X)                                               \
-    Poco::Message m_(LOG.name(), "", Poco::Message::PRIO_##PRIO);                  \
-    char b_[1024];                                                                 \
-    std::ostringstream oss_(Log::prefix(b_, LVL, false), std::ostringstream::ate); \
-    oss_ << std::boolalpha << X;                                                   \
-    LOG_END(oss_);                                                                  \
-    m_.setText(oss_.str());                                                        \
+#define LOG_BODY_(LOG, PRIO, LVL, X)                                                        \
+    Poco::Message m_(LOG.name(), "", Poco::Message::PRIO_##PRIO);                           \
+    char b_[1024];                                                                          \
+    std::ostringstream oss_(Log::prefix(b_, sizeof(b_) - 1, LVL), std::ostringstream::ate); \
+    oss_ << std::boolalpha << X;                                                            \
+    LOG_END(oss_);                                                                          \
+    m_.setText(oss_.str());                                                                 \
     LOG.log(m_);
 
 #define LOG_TRC(X)                            \
diff --git a/common/Seccomp.cpp b/common/Seccomp.cpp
index e49c4d5e8..21fc83c35 100644
--- a/common/Seccomp.cpp
+++ b/common/Seccomp.cpp
@@ -11,7 +11,10 @@
  * exotic or un-necessary system calls to be used to break containment.
  */
 
-#include "config.h"
+#include <config.h>
+
+#include "Seccomp.hpp"
+
 #include <dlfcn.h>
 #include <ftw.h>
 #include <linux/audit.h>
@@ -24,13 +27,13 @@
 #include <sys/capability.h>
 #include <sys/prctl.h>
 #include <sys/resource.h>
+#include <sys/syscall.h>
 #include <sys/time.h>
 #include <unistd.h>
 #include <utime.h>
 
 #include <common/Log.hpp>
 #include <common/SigUtil.hpp>
-#include <Seccomp.hpp>
 
 #ifndef SYS_SECCOMP
 #  define SYS_SECCOMP 1
diff --git a/common/Seccomp.hpp b/common/Seccomp.hpp
index 5098c1c75..5a09de772 100644
--- a/common/Seccomp.hpp
+++ b/common/Seccomp.hpp
@@ -9,6 +9,9 @@
 #ifndef INCLUDED_SECCOMP_HPP
 #define INCLUDED_SECCOMP_HPP
 
+#include <string>
+#include <vector>
+
 namespace Seccomp {
     enum Type { KIT, WSD };
 
diff --git a/common/Util.cpp b/common/Util.cpp
index ba01c765a..ca78e5bf5 100644
--- a/common/Util.cpp
+++ b/common/Util.cpp
@@ -16,6 +16,7 @@
 #include <sys/poll.h>
 #include <sys/prctl.h>
 #include <sys/stat.h>
+#include <sys/syscall.h>
 #include <sys/uio.h>
 #include <sys/vfs.h>
 #include <sys/types.h>
@@ -56,6 +57,8 @@
 #include "Log.hpp"
 #include "Util.hpp"
 
+using std::size_t;
+
 namespace Util
 {
     namespace rng
@@ -272,7 +275,7 @@ namespace Util
 
     static const char *startsWith(const char *line, const char *tag)
     {
-        int len = strlen(tag);
+        int len = std::strlen(tag);
         if (!strncmp(line, tag, len))
         {
             while (!isdigit(line[len]) && line[len] != '\0')
@@ -444,42 +447,40 @@ namespace Util
         return replace(r, "\n", " / ");
     }
 
-    static __thread char ThreadName[32];
+    static __thread char ThreadName[32] = {0};
 
     void setThreadName(const std::string& s)
     {
         strncpy(ThreadName, s.c_str(), 31);
         ThreadName[31] = '\0';
         if (prctl(PR_SET_NAME, reinterpret_cast<unsigned long>(s.c_str()), 0, 0, 0) != 0)
-            LOG_SYS("Cannot set thread name of " << getThreadId() << " (0x" <<
-                    std::hex << std::this_thread::get_id() <<
-                    std::dec << ") to [" << s << "].");
+            LOG_SYS("Cannot set thread name of " << getThreadId() << " (" << std::hex <<
+                    std::this_thread::get_id() << std::dec << ") to [" << s << "].");
         else
-            LOG_INF("Thread " << getThreadId() << " (0x" <<
-                    std::hex << std::this_thread::get_id() <<
-                    std::dec << ") is now called [" << s << "].");
+            LOG_INF("Thread " << getThreadId() << " (" << std::hex <<
+                    std::this_thread::get_id() << std::dec << ") is now called [" << s << "].");
     }
 
     const char *getThreadName()
     {
-        // Main process and/or not set yet.
+        // Main process and/or thread name not set yet.
         if (ThreadName[0] == '\0')
         {
             if (prctl(PR_GET_NAME, reinterpret_cast<unsigned long>(ThreadName), 0, 0, 0) != 0)
-                ThreadName[0] = '\0';
+                strncpy(ThreadName, "<noid>", sizeof(ThreadName) - 1);
         }
 
         // Avoid so many redundant system calls
         return ThreadName;
     }
 
-    static __thread pid_t ThreadTid;
+    static __thread pid_t ThreadTid = 0;
 
     pid_t getThreadId()
     {
         // Avoid so many redundant system calls
         if (!ThreadTid)
-            ThreadTid = syscall(SYS_gettid);
+            ThreadTid = ::syscall(SYS_gettid);
         return ThreadTid;
     }
 
diff --git a/net/Socket.cpp b/net/Socket.cpp
index 0ad24d5b2..65b97bdf9 100644
--- a/net/Socket.cpp
+++ b/net/Socket.cpp
@@ -9,9 +9,13 @@
 
 #include "config.h"
 
-#include <stdio.h>
+#include "Socket.hpp"
+
+#include <cstring>
 #include <ctype.h>
 #include <iomanip>
+#include <stdio.h>
+#include <unistd.h>
 #include <zlib.h>
 
 #include <Poco/DateTime.h>
@@ -19,8 +23,7 @@
 #include <Poco/DateTimeFormatter.h>
 #include <Poco/Net/HTTPResponse.h>
 
-#include "SigUtil.hpp"
-#include "Socket.hpp"
+#include <SigUtil.hpp>
 #include "ServerSocket.hpp"
 #include "WebSocketHandler.hpp"
 
commit 320e2979751d792b4b9683ae288de75c53e2ddf9
Author:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
AuthorDate: Mon Jun 4 10:23:58 2018 -0400
Commit:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
CommitDate: Fri Jun 15 01:08:03 2018 -0400

    wsd: clang-format logging macros and pass logger explicitly
    
    Change-Id: I37e7f4b5687b64b36e0985942627a4b84a8249eb

diff --git a/common/Log.hpp b/common/Log.hpp
index a3e4a9ae1..90ed1a7dc 100644
--- a/common/Log.hpp
+++ b/common/Log.hpp
@@ -189,20 +189,120 @@ namespace Log
     }
 }
 
-#define LOG_BODY_(PRIO, LVL, X) Poco::Message m_(l_.name(), "", Poco::Message::PRIO_##PRIO); char b_[1024]; std::ostringstream oss_(Log::prefix(b_, LVL, false), std::ostringstream::ate); oss_ << std::boolalpha << X << "| " << __FILE__ << ':' << __LINE__; m_.setText(oss_.str()); l_.log(m_);
-#define LOG_TRC(X) do { auto& l_ = Log::logger(); if (l_.trace()) { LOG_BODY_(TRACE, "TRC", X); } } while (false)
-#define LOG_DBG(X) do { auto& l_ = Log::logger(); if (l_.debug()) { LOG_BODY_(DEBUG, "DBG", X); } } while (false)
-#define LOG_INF(X) do { auto& l_ = Log::logger(); if (l_.information()) { LOG_BODY_(INFORMATION, "INF", X); } } while (false)
-#define LOG_WRN(X) do { auto& l_ = Log::logger(); if (l_.warning()) { LOG_BODY_(WARNING, "WRN", X); } } while (false)
-#define LOG_ERR(X) do { auto& l_ = Log::logger(); if (l_.error()) { LOG_BODY_(ERROR, "ERR", X); } } while (false)
-#define LOG_SYS(X) do { auto& l_ = Log::logger(); if (l_.error()) { LOG_BODY_(ERROR, "ERR", X << " (errno: " << std::strerror(errno) << ")"); } } while (false)
-#define LOG_FTL(X) do { auto& l_ = Log::logger(); if (l_.fatal()) { LOG_BODY_(FATAL, "FTL", X); } } while (false)
-#define LOG_SFL(X) do { auto& l_ = Log::logger(); if (l_.error()) { LOG_BODY_(FATAL, "FTL", X << " (errno: " << std::strerror(errno) << ")"); } } while (false)
-
-#define LOG_END(l) do { l << __FILE__ << ':' << __LINE__; l.flush(); } while (false)
-
-#define LOG_CHECK(X) do { if (!(X)) { LOG_ERR("Check failed. Expected (" #X ")."); } } while (false)
-#define LOG_CHECK_RET(X, RET) do { if (!(X)) { LOG_ERR("Check failed. Expected (" #X ")."); return RET; } } while (false)
+#define LOG_END(LOG)                                \
+    do                                              \
+    {                                               \
+        LOG << "| " << __FILE__ << ':' << __LINE__; \
+        LOG.flush();                                \
+    } while (false)
+
+#define LOG_BODY_(LOG, PRIO, LVL, X)                                               \
+    Poco::Message m_(LOG.name(), "", Poco::Message::PRIO_##PRIO);                  \
+    char b_[1024];                                                                 \
+    std::ostringstream oss_(Log::prefix(b_, LVL, false), std::ostringstream::ate); \
+    oss_ << std::boolalpha << X;                                                   \
+    LOG_END(oss_);                                                                  \
+    m_.setText(oss_.str());                                                        \
+    LOG.log(m_);
+
+#define LOG_TRC(X)                            \
+    do                                        \
+    {                                         \
+        auto &log_ = Log::logger();           \
+        if (log_.trace())                     \
+        {                                     \
+            LOG_BODY_(log_, TRACE, "TRC", X); \
+        }                                     \
+    } while (false)
+
+#define LOG_DBG(X)                            \
+    do                                        \
+    {                                         \
+        auto &log_ = Log::logger();           \
+        if (log_.debug())                     \
+        {                                     \
+            LOG_BODY_(log_, DEBUG, "DBG", X); \
+        }                                     \
+    } while (false)
+
+#define LOG_INF(X)                                  \
+    do                                              \
+    {                                               \
+        auto &log_ = Log::logger();                 \
+        if (log_.information())                     \
+        {                                           \
+            LOG_BODY_(log_, INFORMATION, "INF", X); \
+        }                                           \
+    } while (false)
+
+#define LOG_WRN(X)                              \
+    do                                          \
+    {                                           \
+        auto &log_ = Log::logger();             \
+        if (log_.warning())                     \
+        {                                       \
+            LOG_BODY_(log_, WARNING, "WRN", X); \
+        }                                       \
+    } while (false)
+
+#define LOG_ERR(X)                            \
+    do                                        \
+    {                                         \
+        auto &log_ = Log::logger();           \
+        if (log_.error())                     \
+        {                                     \
+            LOG_BODY_(log_, ERROR, "ERR", X); \
+        }                                     \
+    } while (false)
+
+#define LOG_SYS(X)                                                                          \
+    do                                                                                      \
+    {                                                                                       \
+        auto &log_ = Log::logger();                                                         \
+        if (log_.error())                                                                   \
+        {                                                                                   \
+            LOG_BODY_(log_, ERROR, "ERR", X << " (errno: " << std::strerror(errno) << ")"); \
+        }                                                                                   \
+    } while (false)
+
+#define LOG_FTL(X)                            \
+    do                                        \
+    {                                         \
+        auto &log_ = Log::logger();           \
+        if (log_.fatal())                     \
+        {                                     \
+            LOG_BODY_(log_, FATAL, "FTL", X); \
+        }                                     \
+    } while (false)
+
+#define LOG_SFL(X)                                                                          \
+    do                                                                                      \
+    {                                                                                       \
+        auto &log_ = Log::logger();                                                         \
+        if (log_.error())                                                                   \
+        {                                                                                   \
+            LOG_BODY_(log_, FATAL, "FTL", X << " (errno: " << std::strerror(errno) << ")"); \
+        }                                                                                   \
+    } while (false)
+
+#define LOG_CHECK(X)                                     \
+    do                                                   \
+    {                                                    \
+        if (!(X))                                        \
+        {                                                \
+            LOG_ERR("Check failed. Expected (" #X ")."); \
+        }                                                \
+    } while (false)
+
+#define LOG_CHECK_RET(X, RET)                            \
+    do                                                   \
+    {                                                    \
+        if (!(X))                                        \
+        {                                                \
+            LOG_ERR("Check failed. Expected (" #X ")."); \
+            return RET;                                  \
+        }                                                \
+    } while (false)
 
 #endif
 
commit 03aec2b744dd02fcc2bdf55d0de7345910cb0fcc
Author:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
AuthorDate: Sun Feb 11 15:40:28 2018 -0500
Commit:     Ashod Nakashian <ashod.nakashian at collabora.co.uk>
CommitDate: Fri Jun 15 01:08:03 2018 -0400

    kit: makeRenderParams now static
    
    Change-Id: I1c79991a73044a91ed9f8389e23ccffd8b2bcbce
    Reviewed-on: https://gerrit.libreoffice.org/49572
    Reviewed-by: Ashod Nakashian <ashnakash at gmail.com>
    Tested-by: Ashod Nakashian <ashnakash at gmail.com>

diff --git a/kit/Kit.cpp b/kit/Kit.cpp
index 6385103da..374025a8d 100644
--- a/kit/Kit.cpp
+++ b/kit/Kit.cpp
@@ -1586,7 +1586,7 @@ private:
             LOG_TRC("View to url [" << uri << "] created.");
         }
 
-        const std::string renderParams = makeRenderParams(userName);
+        const std::string renderParams = makeRenderParams(_renderOpts, userName);
         LOG_INF("Initializing for rendering session [" << sessionId << "] on document url [" <<
                 _url << "] with: [" << renderParams << "].");
 
@@ -1685,15 +1685,15 @@ private:
         return false;
     }
 
-    std::string makeRenderParams(const std::string& userName)
+    static std::string makeRenderParams(const std::string& renderOpts, const std::string& userName)
     {

... etc. - the rest is truncated


More information about the Libreoffice-commits mailing list