On Tue, Jan 10, 2012 at 10:09 AM, Matt Rogers <[email protected]> wrote: > On Tue, Dec 27, 2011 at 2:00 PM, Tim van Deurzen <[email protected]> wrote: > > Hi, > > > > I've just installed Tracks 2.1 devel 0 on my Gentoo machine. Now my > > problem is the following: > > > > When I look at the 'production.log' file I can see users' passwords in > > plain text. I have spent the better part of two hours trying to find > > some configuration setting or distinct logging setting to disable this. > > However, I've come up blank. Is this a bug, a feature or a security hole > > and how do I fix it? > > > > > > Kind regards, > > > > Tim. > > Hi Tim, > > Could you be a bit more specfic about what you're seeing in the logs > and where you're seeing it? For example, when I log in, this is what i > see in my production.log file. > > Processing LoginController#login (for 127.0.0.1 at 2012-01-10 10:05:26) > [POST] > Parameters: {"user_login"=>"admin", "action"=>"login", > "authenticity_token"=>"j0x/fd15ORwIwUYAXkcHfRxoRX5sDSujk723B4nRA64=", > "controller"=>"login", "user_password"=>"[FILTERED]", > "user_noexpiry"=>"on", "login"=>"Sign in ยป"} > Redirected to http://localhost:3001/ > Completed in 246ms (DB: 1) | 302 Found [http://localhost/login] > > Thanks, > Matt > _______________________________________________ > Tracks-discuss mailing list > [email protected] > http://lists.rousette.org.uk/mailman/listinfo/tracks-discuss >
Tim, The Rails setting for this is "filter_parameter_logging :user_password" which sits near the top of app/controllers/login_controller.rb in my setup (2.1 devel as of 9/28/2011). It replaces the cleartext 'user_password' with [FILTERED] in the logs as Matt showed. I see exactly the same thing as Matt. Are you using the standard login scheme, or is this with the API or OpenId? Best Christian
_______________________________________________ Tracks-discuss mailing list [email protected] http://lists.rousette.org.uk/mailman/listinfo/tracks-discuss
