Auto merge of zcash#1584 - bitcartel:1504_zca_011_logging, r=daira

More granular control over logging of z_* calls Closes zcash#1504
yang123vc · Oct 22, 2016 · fd7ef7b · fd7ef7b
2 parents 10ad093 + 446f867
commit fd7ef7b
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/doc/security-warnings.md b/doc/security-warnings.md
@@ -86,3 +86,12 @@ Block Chain Reorganization: Major Differences
 Users should be aware of new behavior in Zcash that differs significantly from Bitcoin: in the case of a block chain reorganization, Bitcoin's coinbase maturity rule helps to ensure that any reorganization shorter than the maturity interval will not invalidate any of the rolled-back transactions. Zcash keeps Bitcoin's 100-block maturity interval for generation transactions, but because JoinSplits must be anchored within a block, this provides more limited protection against transactions becoming invalidated. In the case of a block chain reorganization for Zcash, all JoinSplits which were anchored within the reorganization interval and any transactions that depend on them will become invalid, rolling back transactions and reverting funds to the original owner. The transaction rebroadcast mechanism inherited from Bitcoin will not successfully rebroadcast transactions depending on invalidated JoinSplits if the anchor needs to change. The creator of an invalidated JoinSplit, as well as the creators of all transactions dependent on it, must rebroadcast the transactions themselves.
 
 Receivers of funds from a JoinSplit can mitigate the risk of relying on funds received from transactions that may be rolled back by using a higher minconf (minimum number of confirmations).
+
+Logging z_* RPC calls
+---------------------
+
+The option `-debug=zrpc` covers logging of the z_* calls.  This will reveal information about private notes which you might prefer not to disclose.  For example, when calling `z_sendmany` to create a shielded transaction, input notes are consumed and new output notes are created.
+
+The option `-debug=zrpcunsafe` covers logging of sensitive information in z_* calls which you would only need for debugging and audit purposes.  For example, if you want to examine the memo field of a note being spent.
+
+Private spending keys for z addresses are never logged.
diff --git a/src/wallet/asyncrpcoperation_sendmany.cpp b/src/wallet/asyncrpcoperation_sendmany.cpp
@@ -780,14 +780,24 @@ bool AsyncRPCOperation_sendmany::find_unspent_notes() {
     for (CNotePlaintextEntry & entry : entries) {
         z_inputs_.push_back(SendManyInputJSOP(entry.jsop, entry.plaintext.note(frompaymentaddress_), CAmount(entry.plaintext.value)));
         std::string data(entry.plaintext.memo.begin(), entry.plaintext.memo.end());
-        LogPrint("zrpc", "%s: found unspent note (txid=%s, vjoinsplit=%d, ciphertext=%d, amount=%s, memo=%s)\n",
+        if (LogAcceptCategory("zrpcunsafe")) {
+            LogPrint("zrpcunsafe", "%s: found unspent note (txid=%s, vjoinsplit=%d, ciphertext=%d, amount=%s, memo=%s)\n",
                 getId().substr(0, 10),
                 entry.jsop.hash.ToString().substr(0, 10),
                 entry.jsop.js,
                 int(entry.jsop.n),  // uint8_t
                 FormatMoney(entry.plaintext.value, false),
                 HexStr(data).substr(0, 10)
                 );
+        } else {
+            LogPrint("zrpc", "%s: found unspent note (txid=%s, vjoinsplit=%d, ciphertext=%d, amount=%s)\n",
+                getId().substr(0, 10),
+                entry.jsop.hash.ToString().substr(0, 10),
+                entry.jsop.js,
+                int(entry.jsop.n),  // uint8_t
+                FormatMoney(entry.plaintext.value, false)
+                );
+        }
     }
 
     if (z_inputs_.size() == 0) {