Alex Wayne
2006-Aug-15 22:52 UTC
[Rails] Keeping passwords and other sensitive data out of the logs
Even is production mode Rails logs all requests params in the log files. The problem is this often includes things like user passwords, credit card numbers and other data. It even displays them when the values are POSTed. If my server is hacked it would be easy to pick this data out of the logs by a regex or two. Is is possible to prevent logging certain params? This seems like it could be a troublesome security hole. Any tips? -- Posted via http://www.ruby-forum.com/.
Ezra Zygmuntowicz
2006-Aug-15 22:59 UTC
[Rails] Keeping passwords and other sensitive data out of the logs
On Aug 15, 2006, at 3:52 PM, Alex Wayne wrote:> Even is production mode Rails logs all requests params in the log > files. > The problem is this often includes things like user passwords, credit > card numbers and other data. It even displays them when the values > are > POSTed. If my server is hacked it would be easy to pick this data out > of the logs by a regex or two. > > Is is possible to prevent logging certain params? This seems like it > could be a troublesome security hole. > > Any tips? > > -- > Posted via http://www.ruby-forum.com/. > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/railsIn edge rails there is a filter_log_params functionality that will filter certain things that you specify out of the log file. If you are not on edge I think there is a plugin somewhere called filtered_log_params that you can use. -Ezra
Alex Wayne
2006-Aug-16 00:32 UTC
[Rails] Re: Keeping passwords and other sensitive data out of the lo
Ezra Zygmuntowicz wrote:> In edge rails there is a filter_log_params functionality that will > filter certain things that you specify out of the log file. If you > are not on edge I think there is a plugin somewhere called > filtered_log_params that you can use. > > -EzraAh thanks, I''m on edge so I''ll see if that works. -- Posted via http://www.ruby-forum.com/.
www-data
2006-Aug-16 01:46 UTC
[Rails] Re: Keeping passwords and other sensitive data out of the lo
Alex Wayne wrote:> Ezra Zygmuntowicz wrote: >> In edge rails there is a filter_log_params functionality that will >> filter certain things that you specify out of the log file. If you >> are not on edge I think there is a plugin somewhere called >> filtered_log_params that you can use. >> >> -Ezra > > Ah thanks, I''m on edge so I''ll see if that works.I cant seem to find any reference to that on the edge docs or in the edge source. And the plugin svn seems to be down svn://suven.no-ip.org/rails/plugins/filter_logged_params How do I use the edge implementation? -- Posted via http://www.ruby-forum.com/.
www-data
2006-Aug-16 01:49 UTC
[Rails] Re: Keeping passwords and other sensitive data out of the lo
Guest wrote:> Alex Wayne wrote: >> Ezra Zygmuntowicz wrote: >>> In edge rails there is a filter_log_params functionality that will >>> filter certain things that you specify out of the log file. If you >>> are not on edge I think there is a plugin somewhere called >>> filtered_log_params that you can use. >>> >>> -Ezra >> >> Ah thanks, I''m on edge so I''ll see if that works. > > I cant seem to find any reference to that on the edge docs or in the > edge source. And the plugin svn seems to be down > > svn://suven.no-ip.org/rails/plugins/filter_logged_params > > How do I use the edge implementation?Nevermind... It''s filter_paramerter_logging http://api.rubyonrails.com/classes/ActionController/Base.html#M000201 -- Posted via http://www.ruby-forum.com/.