[Tracks-discuss] Re: logging

Tue, 10 Jan 2012 08:51:31 -0800 

On Tue, Jan 10, 2012 at 10:34:34AM -0600, Christian Frank wrote:

>    On Tue, Jan 10, 2012 at 10:09 AM, Matt Rogers <[email protected]> wrote:
> 
>      On Tue, Dec 27, 2011 at 2:00 PM, Tim van Deurzen <[email protected]>
>      wrote:
>      > Hi,
>      >
>      > I've just installed Tracks 2.1 devel 0 on my Gentoo machine. Now my
>      > problem is the following:
>      >
>      > When I look at the 'production.log' file I can see users' passwords in
>      > plain text. I have spent the better part of two hours trying to find
>      > some configuration setting or distinct logging setting to disable
>      this.
>      > However, I've come up blank. Is this a bug, a feature or a security
>      hole
>      > and how do I fix it?
>      >
>      >
>      > Kind regards,
>      >
>      > Tim.
> 
>      Hi Tim,
> 
>      Could you be a bit more specfic about what you're seeing in the logs
>      and where you're seeing it? For example, when I log in, this is what i
>      see in my production.log file.
> 
>      Processing LoginController#login (for 127.0.0.1 at 2012-01-10 10:05:26)
>      [POST]
>       Parameters: {"user_login"=>"admin", "action"=>"login",
>      "authenticity_token"=>"j0x/fd15ORwIwUYAXkcHfRxoRX5sDSujk723B4nRA64=",
>      "controller"=>"login", "user_password"=>"[FILTERED]",
>      "user_noexpiry"=>"on", "login"=>"Sign in >>"}
>      Redirected to http://localhost:3001/
>      Completed in 246ms (DB: 1) | 302 Found [http://localhost/login]
> 
>      Thanks,
>      Matt
>      _______________________________________________
>      Tracks-discuss mailing list
>      [email protected]
>      http://lists.rousette.org.uk/mailman/listinfo/tracks-discuss
> 
>    Tim, 
>    The Rails setting for this is "filter_parameter_logging
>    :user_password" which sits near the top of
>    app/controllers/login_controller.rb in my setup (2.1 devel as of
>    9/28/2011).  It replaces the cleartext 'user_password' with [FILTERED] in
>    the logs as Matt showed.  I see exactly the same thing as Matt.
>    Are you using the standard login scheme, or is this with the API or
>    OpenId?
>    Best
>     Christian

Hi Christian,

I forgot to reply-all to Matt's response, this is what I wrote:

It concerns the `password' and `password_confirmation' parameter for the
creation of a new user. So, when adding a new user to the system the
password is logged, twice, in plaintext.


Kind regards,

Tim.

-- production.log --

Processing UsersController#create (for ::ffff:93.163.59.75 at 2012-01-10
17:27:48) [POST]
  Parameters:
  {"authenticity_token"=>"DnWXcCMu4VI31dKBMQNRDH9ploEni/G9TUvTfXFRqco=",
      "user"=>{"open_id_url"=>"", 
          "password_confirmation"=>"test123",
          "auth_type"=>"database", 
          "password"=>"test123", 
          "login"=>"test"
      }
  }

_______________________________________________
Tracks-discuss mailing list
[email protected]
http://lists.rousette.org.uk/mailman/listinfo/tracks-discuss

Reply via email to