Rails - Feb 2006 - Possible Rails Security Issue?

I have an e-commerce site and users check out with a form.  The  
results of that form are sent to a "confirm your order" page via  
POST.  I take great pains to NEVER store the full credit card number  
on my server--just the last 4 digits.  I was very surprised to find  
that by default Rails will record POST requests with parameters in  
the production.log.  And those parameters include credit card numbers!

I know that log levels can be customized and adjusted to show only  
errors but it seems like the default Rails behavior should be to NOT  
log the POST parameters when in production mode.

Is this something that needs to be addressed?  If so, what''s the  
correct way to escalate it?  At the very least, I think there should  
be clear warnings and documentation about this fact.

Kevin Skoglund

------
Here''s a sample from my log with the personal information stripped  
out by hand:

Processing StoreController#checkout (for xxx.xxx.xxx.xxx at  
2006-02-06 09:38:27) [GET]
   Parameters: {"action"=>"checkout",
"controller"=>"store"}
Rendering  within layouts/store
Rendering store/checkout
Start rendering component ({:action=>"display_cart"}):

Processing StoreController#confirm_order (for xxx.xxx.xxx.xxx at  
2006-02-06 09:39:32) [POST]
   Parameters: {"commit"=>" Continue ",
"action"=>"confirm_order",
"payment"=>{"card_type"=>"M",
"card_number"=>"0000000000000000",
"pay_type"=>"cc",
"card_expiration(1i)"=>"2007", "card_expiration
(2i)"=>"7"}, "controller"=>"store",
"customer"=>{"company"=>"Xxxxx",
"city"=>"Xxxxx", "zip"=>"00000",
"country"=>"US", "suite"=>"",
"phone"=>"000-000-0000",
"first_name"=>"Xxxxx", "address"=>"00
Xxxxxxx", "last_name"=>"Xxxxx",
"email"=>"xxx@xxxxxxx.com",
"state"=>"XX"}}
Rendering  within layouts/store
Rendering store/confirm_order
Start rendering component ({:action=>"display_cart"}):

I have noticed this to with users logging in.  The plain password is
available via the log.  I guess one argument could be that the logs on
on your server, and should only be available to authorized personnel.

~ Ben

On 2/7/06, Kevin Skoglund <kevin@pixelandpress.com>
wrote:
> I have an e-commerce site and users check out with a form.  The
> results of that form are sent to a "confirm your order" page via
> POST.  I take great pains to NEVER store the full credit card number
> on my server--just the last 4 digits.  I was very surprised to find
> that by default Rails will record POST requests with parameters in
> the production.log.  And those parameters include credit card numbers!
>
> I know that log levels can be customized and adjusted to show only
> errors but it seems like the default Rails behavior should be to NOT
> log the POST parameters when in production mode.
>
> Is this something that needs to be addressed?  If so, what''s the
> correct way to escalate it?  At the very least, I think there should
> be clear warnings and documentation about this fact.
>
> Kevin Skoglund
>
> ------
> Here''s a sample from my log with the personal information stripped
> out by hand:
>
> Processing StoreController#checkout (for xxx.xxx.xxx.xxx at
> 2006-02-06 09:38:27) [GET]
>    Parameters: {"action"=>"checkout",
"controller"=>"store"}
> Rendering  within layouts/store
> Rendering store/checkout
> Start rendering component ({:action=>"display_cart"}):
>
> Processing StoreController#confirm_order (for xxx.xxx.xxx.xxx at
> 2006-02-06 09:39:32) [POST]
>    Parameters: {"commit"=>" Continue ",
"action"=>"confirm_order",
> "payment"=>{"card_type"=>"M",
"card_number"=>"0000000000000000",
> "pay_type"=>"cc",
"card_expiration(1i)"=>"2007", "card_expiration
> (2i)"=>"7"},
"controller"=>"store",
"customer"=>{"company"=>"Xxxxx",
> "city"=>"Xxxxx",
"zip"=>"00000", "country"=>"US",
"suite"=>"",
> "phone"=>"000-000-0000",
"first_name"=>"Xxxxx", "address"=>"00
> Xxxxxxx", "last_name"=>"Xxxxx",
"email"=>"xxx@xxxxxxx.com",
> "state"=>"XX"}}
> Rendering  within layouts/store
> Rendering store/confirm_order
> Start rendering component ({:action=>"display_cart"}):
>
>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

--
Ben Reubenstein
http://www.benr75.com

~ Quick typing created a rather poor post... Here is a patch ;)

I have noticed this too with users logging in.  The plain password is
available via the log.  I guess one argument could be that the logs are
on your server, and should only be available to authorized personnel.

~ Ben

On 2/7/06, Ben Reubenstein <benr@x-cr.com> wrote:
> I have noticed this to with users logging in.  The plain password is
> available via the log.  I guess one argument could be that the logs on
> on your server, and should only be available to authorized personnel.
>
> ~ Ben
>
> On 2/7/06, Kevin Skoglund <kevin@pixelandpress.com> wrote:
> > I have an e-commerce site and users check out with a form.  The
> > results of that form are sent to a "confirm your order" page
via
> > POST.  I take great pains to NEVER store the full credit card number
> > on my server--just the last 4 digits.  I was very surprised to find
> > that by default Rails will record POST requests with parameters in
> > the production.log.  And those parameters include credit card numbers!
> >
> > I know that log levels can be customized and adjusted to show only
> > errors but it seems like the default Rails behavior should be to NOT
> > log the POST parameters when in production mode.
> >
> > Is this something that needs to be addressed?  If so, what''s
the
> > correct way to escalate it?  At the very least, I think there should
> > be clear warnings and documentation about this fact.
> >
> > Kevin Skoglund
> >
> > ------
> > Here''s a sample from my log with the personal information
stripped
> > out by hand:
> >
> > Processing StoreController#checkout (for xxx.xxx.xxx.xxx at
> > 2006-02-06 09:38:27) [GET]
> >    Parameters: {"action"=>"checkout",
"controller"=>"store"}
> > Rendering  within layouts/store
> > Rendering store/checkout
> > Start rendering component ({:action=>"display_cart"}):
> >
> > Processing StoreController#confirm_order (for xxx.xxx.xxx.xxx at
> > 2006-02-06 09:39:32) [POST]
> >    Parameters: {"commit"=>" Continue ",
"action"=>"confirm_order",
> > "payment"=>{"card_type"=>"M",
"card_number"=>"0000000000000000",
> > "pay_type"=>"cc",
"card_expiration(1i)"=>"2007", "card_expiration
> > (2i)"=>"7"},
"controller"=>"store",
"customer"=>{"company"=>"Xxxxx",
> > "city"=>"Xxxxx",
"zip"=>"00000", "country"=>"US",
"suite"=>"",
> > "phone"=>"000-000-0000",
"first_name"=>"Xxxxx", "address"=>"00
> > Xxxxxxx", "last_name"=>"Xxxxx",
"email"=>"xxx@xxxxxxx.com",
> > "state"=>"XX"}}
> > Rendering  within layouts/store
> > Rendering store/confirm_order
> > Start rendering component ({:action=>"display_cart"}):
> >
> >
> > _______________________________________________
> > Rails mailing list
> > Rails@lists.rubyonrails.org
> > http://lists.rubyonrails.org/mailman/listinfo/rails
> >
>
>
> --
> Ben Reubenstein
> http://www.benr75.com
>

--
Ben Reubenstein
http://www.benr75.com

Pretty poor argument given that the regulations around credit card  
security are pretty specific about what you can and cannot do with CC  
numbers. Storing them anywhere in a non-encrypted format is a big no- 
no. I am guessing Kevin does not want to store them to avoid having  
to deal with PCI regulations that would require additional security  
process to be in place.

This sounds like something that should be clearly spelled out in the  
docs somewhere.


On Feb 7, 2006, at 10:06 AM, Ben Reubenstein wrote:
> ~ Quick typing created a rather poor post... Here is a patch ;)
>
> I have noticed this too with users logging in.  The plain password is
> available via the log.  I guess one argument could be that the logs  
> are
> on your server, and should only be available to authorized personnel.
>
> ~ Ben
>
> On 2/7/06, Ben Reubenstein <benr@x-cr.com> wrote:
>> I have noticed this to with users logging in.  The plain password is
>> available via the log.  I guess one argument could be that the  
>> logs on
>> on your server, and should only be available to authorized personnel.
>>
>> ~ Ben
>>
>> On 2/7/06, Kevin Skoglund <kevin@pixelandpress.com> wrote:
>>> I have an e-commerce site and users check out with a form.  The
>>> results of that form are sent to a "confirm your order"
page via
>>> POST.  I take great pains to NEVER store the full credit card
number
>>> on my server--just the last 4 digits.  I was very surprised to find
>>> that by default Rails will record POST requests with parameters in
>>> the production.log.  And those parameters include credit card  
>>> numbers!
>>>
>>> I know that log levels can be customized and adjusted to show only
>>> errors but it seems like the default Rails behavior should be to
NOT
>>> log the POST parameters when in production mode.
>>>
>>> Is this something that needs to be addressed?  If so,
what''s the
>>> correct way to escalate it?  At the very least, I think there
should
>>> be clear warnings and documentation about this fact.
>>>
>>> Kevin Skoglund
>>>
>>> ------
>>> Here''s a sample from my log with the personal information
stripped
>>> out by hand:
>>>
>>> Processing StoreController#checkout (for xxx.xxx.xxx.xxx at
>>> 2006-02-06 09:38:27) [GET]
>>>    Parameters: {"action"=>"checkout",
"controller"=>"store"}
>>> Rendering  within layouts/store
>>> Rendering store/checkout
>>> Start rendering component ({:action=>"display_cart"}):
>>>
>>> Processing StoreController#confirm_order (for xxx.xxx.xxx.xxx at
>>> 2006-02-06 09:39:32) [POST]
>>>    Parameters: {"commit"=>" Continue ",
"action"=>"confirm_order",
>>> "payment"=>{"card_type"=>"M",
"card_number"=>"0000000000000000",
>>> "pay_type"=>"cc",
"card_expiration(1i)"=>"2007", "card_expiration
>>> (2i)"=>"7"},
"controller"=>"store",
"customer"=>{"company"=>"Xxxxx",
>>> "city"=>"Xxxxx",
"zip"=>"00000", "country"=>"US",
"suite"=>"",
>>> "phone"=>"000-000-0000",
"first_name"=>"Xxxxx", "address"=>"00
>>> Xxxxxxx", "last_name"=>"Xxxxx",
"email"=>"xxx@xxxxxxx.com",
>>> "state"=>"XX"}}
>>> Rendering  within layouts/store
>>> Rendering store/confirm_order
>>> Start rendering component ({:action=>"display_cart"}):
>>>
>>>
>>> _______________________________________________
>>> Rails mailing list
>>> Rails@lists.rubyonrails.org
>>> http://lists.rubyonrails.org/mailman/listinfo/rails
>>>
>>
>>
>> --
>> Ben Reubenstein
>> http://www.benr75.com
>>
>
>
> --
> Ben Reubenstein
> http://www.benr75.com
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>


- Bill

I personally do not feel that this is a Rails security issue - But I do
HIGHLY recommend that it is pointed out very, very plainly that by default,
all POSTS are sent to the server logs...it should be up to the developer to
make adjustments as needed for the project.

One persons "no-no" is someone else''s "yes, please"
- this is why I think
Rails is just fine, but again, it should be set with a big warning in the
docs on what Rails logs.


Joseph Youngquist



On 2/7/06, Bill Pennington <bill@norcalkayakanglers.com>
wrote:
>
> Pretty poor argument given that the regulations around credit card
> security are pretty specific about what you can and cannot do with CC
> numbers. Storing them anywhere in a non-encrypted format is a big no-
> no. I am guessing Kevin does not want to store them to avoid having
> to deal with PCI regulations that would require additional security
> process to be in place.
>
> This sounds like something that should be clearly spelled out in the
> docs somewhere.
>
>
> On Feb 7, 2006, at 10:06 AM, Ben Reubenstein wrote:
>
> > ~ Quick typing created a rather poor post... Here is a patch ;)
> >
> > I have noticed this too with users logging in.  The plain password is
> > available via the log.  I guess one argument could be that the logs
> > are
> > on your server, and should only be available to authorized personnel.
> >
> > ~ Ben
> >
> > On 2/7/06, Ben Reubenstein <benr@x-cr.com> wrote:
> >> I have noticed this to with users logging in.  The plain password
is
> >> available via the log.  I guess one argument could be that the
> >> logs on
> >> on your server, and should only be available to authorized
personnel.
> >>
> >> ~ Ben
> >>
> >> On 2/7/06, Kevin Skoglund <kevin@pixelandpress.com> wrote:
> >>> I have an e-commerce site and users check out with a form. 
The
> >>> results of that form are sent to a "confirm your
order" page via
> >>> POST.  I take great pains to NEVER store the full credit card
number
> >>> on my server--just the last 4 digits.  I was very surprised to
find
> >>> that by default Rails will record POST requests with
parameters in
> >>> the production.log.  And those parameters include credit card
> >>> numbers!
> >>>
> >>> I know that log levels can be customized and adjusted to show
only
> >>> errors but it seems like the default Rails behavior should be
to NOT
> >>> log the POST parameters when in production mode.
> >>>
> >>> Is this something that needs to be addressed?  If so,
what''s the
> >>> correct way to escalate it?  At the very least, I think there
should
> >>> be clear warnings and documentation about this fact.
> >>>
> >>> Kevin Skoglund
> >>>
> >>> ------
> >>> Here''s a sample from my log with the personal
information stripped
> >>> out by hand:
> >>>
> >>> Processing StoreController#checkout (for xxx.xxx.xxx.xxx at
> >>> 2006-02-06 09:38:27) [GET]
> >>>    Parameters: {"action"=>"checkout",
"controller"=>"store"}
> >>> Rendering  within layouts/store
> >>> Rendering store/checkout
> >>> Start rendering component
({:action=>"display_cart"}):
> >>>
> >>> Processing StoreController#confirm_order (for xxx.xxx.xxx.xxx
at
> >>> 2006-02-06 09:39:32) [POST]
> >>>    Parameters: {"commit"=>" Continue ",
"action"=>"confirm_order",
> >>>
"payment"=>{"card_type"=>"M",
"card_number"=>"0000000000000000",
> >>> "pay_type"=>"cc",
"card_expiration(1i)"=>"2007", "card_expiration
> >>> (2i)"=>"7"},
"controller"=>"store",
"customer"=>{"company"=>"Xxxxx",
> >>> "city"=>"Xxxxx",
"zip"=>"00000", "country"=>"US",
"suite"=>"",
> >>> "phone"=>"000-000-0000",
"first_name"=>"Xxxxx", "address"=>"00
> >>> Xxxxxxx", "last_name"=>"Xxxxx",
"email"=>"xxx@xxxxxxx.com",
> >>> "state"=>"XX"}}
> >>> Rendering  within layouts/store
> >>> Rendering store/confirm_order
> >>> Start rendering component
({:action=>"display_cart"}):
> >>>
> >>>
> >>> _______________________________________________
> >>> Rails mailing list
> >>> Rails@lists.rubyonrails.org
> >>> http://lists.rubyonrails.org/mailman/listinfo/rails
> >>>
> >>
> >>
> >> --
> >> Ben Reubenstein
> >> http://www.benr75.com
> >>
> >
> >
> > --
> > Ben Reubenstein
> > http://www.benr75.com
> > _______________________________________________
> > Rails mailing list
> > Rails@lists.rubyonrails.org
> > http://lists.rubyonrails.org/mailman/listinfo/rails
> >
>
>
>
> - Bill
>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://wrath.rubyonrails.org/pipermail/rails/attachments/20060207/5370010d/attachment.html

Is there any way of automatically stopping all password fields from
being added to the logs?

Estelle.

On 2/7/06, Joe Youngquist <joemanfoo@gmail.com>
wrote:
> I personally do not feel that this is a Rails security issue - But I do
> HIGHLY recommend that it is pointed out very, very plainly that by default,
> all POSTS are sent to the server logs...it should be up to the developer to
> make adjustments as needed for the project.
>
> One persons "no-no" is someone else''s "yes,
please" - this is why I think
> Rails is just fine, but again, it should be set with a big warning in the
> docs on what Rails logs.
>
>
> Joseph Youngquist
>
>
>
>
> On 2/7/06, Bill Pennington <bill@norcalkayakanglers.com> wrote:
> > Pretty poor argument given that the regulations around credit card
> > security are pretty specific about what you can and cannot do with CC
> > numbers. Storing them anywhere in a non-encrypted format is a big no-
> > no. I am guessing Kevin does not want to store them to avoid having
> > to deal with PCI regulations that would require additional security
> > process to be in place.
> >
> > This sounds like something that should be clearly spelled out in the
> > docs somewhere.
> >
> >
> > On Feb 7, 2006, at 10:06 AM, Ben Reubenstein wrote:
> >
> > > ~ Quick typing created a rather poor post... Here is a patch ;)
> > >
> > > I have noticed this too with users logging in.  The plain
password is
> > > available via the log.  I guess one argument could be that the
logs
> > > are
> > > on your server, and should only be available to authorized
personnel.
> > >
> > > ~ Ben
> > >
> > > On 2/7/06, Ben Reubenstein <benr@x-cr.com> wrote:
> > >> I have noticed this to with users logging in.  The plain
password is
> > >> available via the log.  I guess one argument could be that
the
> > >> logs on
> > >> on your server, and should only be available to authorized
personnel.
> > >>
> > >> ~ Ben
> > >>
> > >> On 2/7/06, Kevin Skoglund <kevin@pixelandpress.com>
wrote:
> > >>> I have an e-commerce site and users check out with a
form.  The
> > >>> results of that form are sent to a "confirm your
order" page via
> > >>> POST.  I take great pains to NEVER store the full credit
card number
> > >>> on my server--just the last 4 digits.  I was very
surprised to find
> > >>> that by default Rails will record POST requests with
parameters in
> > >>> the production.log.  And those parameters include credit
card
> > >>> numbers!
> > >>>
> > >>> I know that log levels can be customized and adjusted to
show only
> > >>> errors but it seems like the default Rails behavior
should be to NOT
> > >>> log the POST parameters when in production mode.
> > >>>
> > >>> Is this something that needs to be addressed?  If so,
what''s the
> > >>> correct way to escalate it?  At the very least, I think
there should
> > >>> be clear warnings and documentation about this fact.
> > >>>
> > >>> Kevin Skoglund
> > >>>
> > >>> ------
> > >>> Here''s a sample from my log with the personal
information stripped
> > >>> out by hand:
> > >>>
> > >>> Processing StoreController#checkout (for xxx.xxx.xxx.xxx
at
> > >>> 2006-02-06 09:38:27) [GET]
> > >>>    Parameters:
{"action"=>"checkout",
"controller"=>"store"}
> > >>> Rendering  within layouts/store
> > >>> Rendering store/checkout
> > >>> Start rendering component
({:action=>"display_cart"}):
> > >>>
> > >>> Processing StoreController#confirm_order (for
xxx.xxx.xxx.xxx at
> > >>> 2006-02-06 09:39:32) [POST]
> > >>>    Parameters: {"commit"=>" Continue
", "action"=>"confirm_order",
> > >>>
"payment"=>{"card_type"=>"M",
> "card_number"=>"0000000000000000",
> > >>> "pay_type"=>"cc",
"card_expiration(1i)"=>"2007", "card_expiration
> > >>> (2i)"=>"7"},
"controller"=>"store",
> "customer"=>{"company"=>"Xxxxx",
> > >>> "city"=>"Xxxxx",
"zip"=>"00000", "country"=>"US",
"suite"=>"",
> > >>> "phone"=>"000-000-0000",
"first_name"=>"Xxxxx", "address"=>"00
> > >>> Xxxxxxx",
"last_name"=>"Xxxxx",
"email"=>"xxx@xxxxxxx.com",
> > >>> "state"=>"XX"}}
> > >>> Rendering  within layouts/store
> > >>> Rendering store/confirm_order
> > >>> Start rendering component
({:action=>"display_cart"}):
> > >>>
> > >>>
> > >>> _______________________________________________
> > >>> Rails mailing list
> > >>> Rails@lists.rubyonrails.org
> > >>> http://lists.rubyonrails.org/mailman/listinfo/rails
> > >>>
> > >>
> > >>
> > >> --
> > >> Ben Reubenstein
> > >> http://www.benr75.com
> > >>
> > >
> > >
> > > --
> > > Ben Reubenstein
> > > http://www.benr75.com
> > > _______________________________________________
> > > Rails mailing list
> > > Rails@lists.rubyonrails.org
> > > http://lists.rubyonrails.org/mailman/listinfo/rails
> > >
> >
> >
> >
> > - Bill
> >
> > _______________________________________________
> > Rails mailing list
> > Rails@lists.rubyonrails.org
> > http://lists.rubyonrails.org/mailman/listinfo/rails
> >
>
>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
>
>

When running in production, I set the logger level to warn, in the  
environment.rb

RAILS_DEFAULT_LOGGER.level = Logger::WARN

This prevents the post information, you are concerned about, from  
being recorded in the logs.

--
Lon Baker
http://www.speedymac.com
AIM: spdemac

I did not mean to imply it was a rails issue per-se, just that it  
should be clearly spelled out somewhere. Logging of the POST data is  
not something that is standard IMO and therefore should be brought to  
the attention of security conscious developers.

My argument would be to not have it turned on by default, the default  
level would be WARN, but then again I have a large collection of hats  
in various metals. :-)

On Feb 7, 2006, at 11:11 AM, Joe Youngquist wrote:
> I personally do not feel that this is a Rails security issue - But  
> I do HIGHLY recommend that it is pointed out very, very plainly  
> that by default, all POSTS are sent to the server logs...it should  
> be up to the developer to make adjustments as needed for the project.
>
> One persons "no-no" is someone else''s "yes,
please" - this is why I
> think Rails is just fine, but again, it should be set with a big  
> warning in the docs on what Rails logs.
>
>
> Joseph Youngquist
>
>
>
> On 2/7/06, Bill Pennington <bill@norcalkayakanglers.com> wrote:  
> Pretty poor argument given that the regulations around credit card
> security are pretty specific about what you can and cannot do with CC
> numbers. Storing them anywhere in a non-encrypted format is a big no-
> no. I am guessing Kevin does not want to store them to avoid having
> to deal with PCI regulations that would require additional security
> process to be in place.
>
> This sounds like something that should be clearly spelled out in the
> docs somewhere.
>
>
> On Feb 7, 2006, at 10:06 AM, Ben Reubenstein wrote:
>
> > ~ Quick typing created a rather poor post... Here is a patch ;)
> >
> > I have noticed this too with users logging in.  The plain  
> password is
> > available via the log.  I guess one argument could be that the logs
> > are
> > on your server, and should only be available to authorized  
> personnel.
> >
> > ~ Ben
> >
> > On 2/7/06, Ben Reubenstein <benr@x-cr.com> wrote:
> >> I have noticed this to with users logging in.  The plain  
> password is
> >> available via the log.  I guess one argument could be that the
> >> logs on
> >> on your server, and should only be available to authorized  
> personnel.
> >>
> >> ~ Ben
> >>
> >> On 2/7/06, Kevin Skoglund <kevin@pixelandpress.com> wrote:
> >>> I have an e-commerce site and users check out with a form. 
The
> >>> results of that form are sent to a "confirm your
order" page via
> >>> POST.  I take great pains to NEVER store the full credit card
> number
> >>> on my server--just the last 4 digits.  I was very surprised to
> find
> >>> that by default Rails will record POST requests with
parameters in
> >>> the production.log.  And those parameters include credit card
> >>> numbers!
> >>>
> >>> I know that log levels can be customized and adjusted to show
only
> >>> errors but it seems like the default Rails behavior should be
> to NOT
> >>> log the POST parameters when in production mode.
> >>>
> >>> Is this something that needs to be addressed?  If so,
what''s the
> >>> correct way to escalate it?  At the very least, I think there
> should
> >>> be clear warnings and documentation about this fact.
> >>>
> >>> Kevin Skoglund
> >>>
> >>> ------
> >>> Here''s a sample from my log with the personal
information stripped
> >>> out by hand:
> >>>
> >>> Processing StoreController#checkout (for xxx.xxx.xxx.xxx at
> >>> 2006-02-06 09:38:27) [GET]
> >>>    Parameters: {"action"=>"checkout",
"controller"=>"store"}
> >>> Rendering  within layouts/store
> >>> Rendering store/checkout
> >>> Start rendering component
({:action=>"display_cart"}):
> >>>
> >>> Processing StoreController#confirm_order (for xxx.xxx.xxx.xxx
at
> >>> 2006-02-06 09:39:32) [POST]
> >>>    Parameters: {"commit"=>" Continue ",
"action"=>"confirm_order",
> >>>
"payment"=>{"card_type"=>"M",
"card_number"=>"0000000000000000",
> >>> "pay_type"=>"cc",
"card_expiration(1i)"=>"2007", "card_expiration
> >>> (2i)"=>"7"},
"controller"=>"store", "customer"=>
> {"company"=>"Xxxxx",
> >>> "city"=>"Xxxxx",
"zip"=>"00000", "country"=>"US",
"suite"=>"",
> >>> "phone"=>"000-000-0000",
"first_name"=>"Xxxxx", "address"=>"00
> >>> Xxxxxxx", "last_name"=>"Xxxxx",
"email"=>"xxx@xxxxxxx.com",
> >>> "state"=>"XX"}}
> >>> Rendering  within layouts/store
> >>> Rendering store/confirm_order
> >>> Start rendering component
({:action=>"display_cart"}):
> >>>
> >>>
> >>> _______________________________________________
> >>> Rails mailing list
> >>> Rails@lists.rubyonrails.org
> >>> http://lists.rubyonrails.org/mailman/listinfo/rails
> >>>
> >>
> >>
> >> --
> >> Ben Reubenstein
> >> http://www.benr75.com
> >>
> >
> >
> > --
> > Ben Reubenstein
> > http://www.benr75.com
> > _______________________________________________
> > Rails mailing list
> > Rails@lists.rubyonrails.org
> > http://lists.rubyonrails.org/mailman/listinfo/rails
> >
>
>
>
> - Bill
>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails


- Bill

By setting log level to WARN you loose important log information which
could be used for the statistics analyze. I have a small plugin which
allows to disable parameters logging for specific actions. Used it
like

class MyController < ApplicationController
  include LogSafe

  log_safe_action :pay

  def pay
    ...
  end
end

Below is the plugin itself.

file init.rb:

require ''log_safe''

file lib/log_safe.rb:

module LogSafe
  def self.included(controller)
    controller.extend(ClassMethods)
  end

  module ClassMethods
    def log_safe_action(*names)
      write_inheritable_attribute(:log_safe_actions, names.map { |n| n.to_s })
    end

    def log_safe_actions
      write_inheritable_attribute(:log_safe_actions, []) unless
read_inheritable_attribute(:log_safe_actions)
      read_inheritable_attribute(:log_safe_actions)
    end
  end

  def log_processing
    logger.info "\n\nProcessing
#{controller_class_name}\##{action_name} (for #{request_origin})
[#{request.method.to_s.upcase}]"
    logger.info "  Session ID: #{@session.session_id}" if @session and
@session.respond_to?(:session_id)
    logger.info "  Parameters: #{@params.inspect}" unless
self.class.log_safe_actions.include?(action_name)
  end
end

Kent.

On 2/7/06, Lon Baker <lon@speedymac.com> wrote:
> When running in production, I set the logger level to warn, in the
> environment.rb
>
> RAILS_DEFAULT_LOGGER.level = Logger::WARN
>
> This prevents the post information, you are concerned about, from
> being recorded in the logs.
>
> --
> Lon Baker
> http://www.speedymac.com
> AIM: spdemac
>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

I would agree with a stipulation.

In production mode, the default should be WARN.

The current development mode logger setting is perfect.

On Feb 7, 2006, at 3:15 PM, rails-request@lists.rubyonrails.org wrote:
> My argument would be to not have it turned on by default, the default
> level would be WARN, but then again I have a large collection of hats
> in various metals. :-)
--
Lon Baker
http://www.speedymac.com
AIM: spdemac

On 2/7/06, Estelle Winterflood <estelle.winterflood@gmail.com>
wrote:
> Is there any way of automatically stopping all password fields from
> being added to the logs?
There''s always the Filter Logged Params plugin:
http://wiki.rubyonrails.org/rails/pages/Filter+Logged+Params+Plugin

I feel strongly that the default production setting for the logger  
should be changed to :warn.  Rails is all about sensible default  
settings.  It is a problem if passwords and credit card numbers are  
showing up in production logs by default.

It sounds like a lot of others agree and based on this open ticket  
from November 2004 (http://dev.rubyonrails.org/ticket/160) it seems  
as though this issue has been a problem for a long time.

What is the best way to escalate this issue so that it finally gets  
fixed?

Kevin Skoglund

> I would agree with a stipulation.
>
> In production mode, the default should be WARN.
>
> The current development mode logger setting is perfect.