On Tue, Jan 10, 2012 at 10:50 AM, Tim van Deurzen <[email protected]> wrote: > On Tue, Jan 10, 2012 at 10:34:34AM -0600, Christian Frank wrote: > >> On Tue, Jan 10, 2012 at 10:09 AM, Matt Rogers <[email protected]> wrote: >> >> On Tue, Dec 27, 2011 at 2:00 PM, Tim van Deurzen <[email protected]> >> wrote: >> > Hi, >> > >> > I've just installed Tracks 2.1 devel 0 on my Gentoo machine. Now my >> > problem is the following: >> > >> > When I look at the 'production.log' file I can see users' passwords in >> > plain text. I have spent the better part of two hours trying to find >> > some configuration setting or distinct logging setting to disable >> this. >> > However, I've come up blank. Is this a bug, a feature or a security >> hole >> > and how do I fix it? >> > >> > >> > Kind regards, >> > >> > Tim. >> >> Hi Tim, >> >> Could you be a bit more specfic about what you're seeing in the logs >> and where you're seeing it? For example, when I log in, this is what i >> see in my production.log file. >> >> Processing LoginController#login (for 127.0.0.1 at 2012-01-10 10:05:26) >> [POST] >> Parameters: {"user_login"=>"admin", "action"=>"login", >> "authenticity_token"=>"j0x/fd15ORwIwUYAXkcHfRxoRX5sDSujk723B4nRA64=", >> "controller"=>"login", "user_password"=>"[FILTERED]", >> "user_noexpiry"=>"on", "login"=>"Sign in >>"} >> Redirected to http://localhost:3001/ >> Completed in 246ms (DB: 1) | 302 Found [http://localhost/login] >> >> Thanks, >> Matt >> _______________________________________________ >> Tracks-discuss mailing list >> [email protected] >> http://lists.rousette.org.uk/mailman/listinfo/tracks-discuss >> >> Tim, >> The Rails setting for this is "filter_parameter_logging >> :user_password" which sits near the top of >> app/controllers/login_controller.rb in my setup (2.1 devel as of >> 9/28/2011). It replaces the cleartext 'user_password' with [FILTERED] in >> the logs as Matt showed. I see exactly the same thing as Matt. >> Are you using the standard login scheme, or is this with the API or >> OpenId? >> Best >> Christian > > Hi Christian, > > I forgot to reply-all to Matt's response, this is what I wrote: > > It concerns the `password' and `password_confirmation' parameter for the > creation of a new user. So, when adding a new user to the system the > password is logged, twice, in plaintext. > > > Kind regards, > > Tim. > > -- production.log -- > > Processing UsersController#create (for ::ffff:93.163.59.75 at 2012-01-10 > 17:27:48) [POST] > Parameters: > {"authenticity_token"=>"DnWXcCMu4VI31dKBMQNRDH9ploEni/G9TUvTfXFRqco=", > "user"=>{"open_id_url"=>"", > "password_confirmation"=>"test123", > "auth_type"=>"database", > "password"=>"test123", > "login"=>"test" > } > } >
I've pushed a fix for this to master. Thanks for reporting it. Matt _______________________________________________ Tracks-discuss mailing list [email protected] http://lists.rousette.org.uk/mailman/listinfo/tracks-discuss
