On Mon, 1 Feb 2010, Maciej Grela wrote:
> Is it possible to use the log4perl appenders, layouts etc. to mask
> secret values (passwords) from the log files generated by log4perl ?
The best way to avoid passwords in the logs is to avoid logging them in
the first place. If you're writing the application, simply strip out the
password fields from the web forms before you dump them to the logging
mechanism.
Stripping out logged passwords, by using a simple search/replace on the
logged passwords is not a safe practice, because a) the application
would actually have to know and store the cleartext passwords and b)
you'd get funny (and revealing!) results if the password matches regular
text.
-- Mike
Mike Schilli
m...@perlmeister.com
>
> For example, I routinely use log4perl to dump the data in web forms
> before POSTing them. These forms often contain sensitive user
> information and I wouldn't want any of my users to post a log with his
> password on some public bugzilla. To this day I have manually filtered
> out these secrets using a wrapper function used in sensitive places. I
> feel however, that I need a better approach.
>
> As a quick proof-of-concept I simply hacked my own version of the
> Multiline appender adding the following code:
>
> ---
> /usr/lib/perl5/vendor_perl/5.8.8/Log/Log4perl/Layout/PatternLayout/Multiline.pm
> 2009-12-30
> 14:27:32.000000000 +0100
> +++ lib/Log/Log4perl/Layout/PatternLayout/Masked.pm 2010-02-01
> 07:24:01.000000000 +0100
> @@ -1,8 +1,11 @@
> #!/usr/bin/perl
>
> -package Log::Log4perl::Layout::PatternLayout::Multiline;
> +package Log::Log4perl::Layout::PatternLayout::Masked;
> use base qw(Log::Log4perl::Layout::PatternLayout);
>
> +use Log::Log4perl::MDC;
> +
> +
> ###########################################
> sub render {
> ###########################################
> @@ -13,8 +16,15 @@
> $caller_level = 0 unless defined $caller_level;
>
> my $result;
> + my $secret_list = Log::Log4perl::MDC->get("secrets");
>
> for my $msg ( @messages ) {
> + # Mask the secret values if needed
> + if ( $secret_list ) {
> + foreach (keys %{$secret_list}) {
> + $msg =~ s/$_/$secret_list->{$_}/g;
> + }
> + }
> $result .= $self->SUPER::render(
> $msg, $category, $priority, $caller_level + 1
> );
>
> The "proper" solution however would be to make this feature
> independent of the layout and appender used. I have tried to use
> filters but unfortunately the filter function cannot change the
> contents of the message. I think the best approach would be to allow
> the filter function to change the contents of the message by passing a
> reference to the message hash instead of a copy.
> This of course will break compatibility with existing filters and they
> would have to be rewritten. Fortunately, there is not a lot of them in
> the Log4perl distribution, I don't know about any external ones.
>
> What do you think about all of this ? I'm willing to write the code &
> tests needed to implement this feature properly if there is interest
> in it.
>
> Best regards,
> Maciej Grela
>
> ------------------------------------------------------------------------------
> The Planet: dedicated and managed hosting, cloud storage, colocation
> Stay online with enterprise data centers and the best network in the business
> Choose flexible plans and management services without long-term contracts
> Personal 24x7 support from experience hosting pros just a phone call away.
> http://p.sf.net/sfu/theplanet-com
> _______________________________________________
> log4perl-devel mailing list
> log4perl-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/log4perl-devel
>
------------------------------------------------------------------------------
The Planet: dedicated and managed hosting, cloud storage, colocation
Stay online with enterprise data centers and the best network in the business
Choose flexible plans and management services without long-term contracts
Personal 24x7 support from experience hosting pros just a phone call away.
http://p.sf.net/sfu/theplanet-com
_______________________________________________
log4perl-devel mailing list
log4perl-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/log4perl-devel
