On Tue, Jan 10, 2012 at 11:26:46AM -0600, Matt Rogers wrote: > On Tue, Jan 10, 2012 at 10:50 AM, Tim van Deurzen <[email protected]> wrote: > > On Tue, Jan 10, 2012 at 10:34:34AM -0600, Christian Frank wrote: > > > >> On Tue, Jan 10, 2012 at 10:09 AM, Matt Rogers <[email protected]> wrote: > >> > >> On Tue, Dec 27, 2011 at 2:00 PM, Tim van Deurzen <[email protected]> > >> wrote: > >> > Hi, > >> > > >> > I've just installed Tracks 2.1 devel 0 on my Gentoo machine. Now my > >> > problem is the following: > >> > > >> > When I look at the 'production.log' file I can see users' passwords > >> in > >> > plain text. I have spent the better part of two hours trying to find > >> > some configuration setting or distinct logging setting to disable > >> this. > >> > However, I've come up blank. Is this a bug, a feature or a security > >> hole > >> > and how do I fix it? > >> > > >> > > >> > Kind regards, > >> > > >> > Tim. > >> > >> Hi Tim, > >> > >> Could you be a bit more specfic about what you're seeing in the logs > >> and where you're seeing it? For example, when I log in, this is what i > >> see in my production.log file. > >> > >> Processing LoginController#login (for 127.0.0.1 at 2012-01-10 > >> 10:05:26) > >> [POST] > >> Parameters: {"user_login"=>"admin", "action"=>"login", > >> "authenticity_token"=>"j0x/fd15ORwIwUYAXkcHfRxoRX5sDSujk723B4nRA64=", > >> "controller"=>"login", "user_password"=>"[FILTERED]", > >> "user_noexpiry"=>"on", "login"=>"Sign in >>"} > >> Redirected to http://localhost:3001/ > >> Completed in 246ms (DB: 1) | 302 Found [http://localhost/login] > >> > >> Thanks, > >> Matt > >> _______________________________________________ > >> Tracks-discuss mailing list > >> [email protected] > >> http://lists.rousette.org.uk/mailman/listinfo/tracks-discuss > >> > >> Tim, > >> The Rails setting for this is "filter_parameter_logging > >> :user_password" which sits near the top of > >> app/controllers/login_controller.rb in my setup (2.1 devel as of > >> 9/28/2011). It replaces the cleartext 'user_password' with [FILTERED] > >> in > >> the logs as Matt showed. I see exactly the same thing as Matt. > >> Are you using the standard login scheme, or is this with the API or > >> OpenId? > >> Best > >> Christian > > > > Hi Christian, > > > > I forgot to reply-all to Matt's response, this is what I wrote: > > > > It concerns the `password' and `password_confirmation' parameter for the > > creation of a new user. So, when adding a new user to the system the > > password is logged, twice, in plaintext. > > > > > > Kind regards, > > > > Tim. > > > > -- production.log -- > > > > Processing UsersController#create (for ::ffff:93.163.59.75 at 2012-01-10 > > 17:27:48) [POST] > > Parameters: > > {"authenticity_token"=>"DnWXcCMu4VI31dKBMQNRDH9ploEni/G9TUvTfXFRqco=", > > "user"=>{"open_id_url"=>"", > > "password_confirmation"=>"test123", > > "auth_type"=>"database", > > "password"=>"test123", > > "login"=>"test" > > } > > } > > > > I've pushed a fix for this to master. > > Thanks for reporting it. > > Matt
Great, I'll update ASAP. Cheers, Tim. _______________________________________________ Tracks-discuss mailing list [email protected] http://lists.rousette.org.uk/mailman/listinfo/tracks-discuss
