Hi everybody, I stumbled upon this idea today that redirect logs should be filterable, similarily to what happens for parameters. Maybe it''s not a very common case, but it may happen that your Rails app performs a redirect to a resource which may be worth to keep secure. The first thing that comes to my mind are S3 HMAC signed resources. Most of the times those are printed out in HTML, but it may happen to have those resources served by your Rails app via a redirect. What do you think about it? I drafted out a possible solution here: https://github.com/freegenie/rails/commit/953f393c948e73db7fff34a88520b5c51684cce7 Should I open an issue and a pull request for this? Thanks, -f -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/R0rRmaUO6VcJ. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
I would say that this should be implemented as a plugin. As you mentioned, this is something very rare and it seems that it''s easy to implement it in a way that users can just drop it in the Gemfile and set needed options. On Mon, Oct 1, 2012 at 12:13 AM, Fabrizio Regini <freegenie@gmail.com>wrote:> Hi everybody, > I stumbled upon this idea today that redirect logs should be filterable, > similarily to what happens for parameters. Maybe it''s not a very common > case, but it may happen that your Rails app performs a redirect to a > resource which may be worth to keep secure. > > The first thing that comes to my mind are S3 HMAC signed resources. Most > of the times those are printed out in HTML, but it may happen to have those > resources served by your Rails app via a redirect. > > What do you think about it? > > I drafted out a possible solution here: > https://github.com/freegenie/rails/commit/953f393c948e73db7fff34a88520b5c51684cce7 > > Should I open an issue and a pull request for this? > > Thanks, > > -f > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/rubyonrails-core/-/R0rRmaUO6VcJ. > To post to this group, send email to rubyonrails-core@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-core+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. >-- Piotr Sarnacki http://piotrsarnacki.com -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Ok thanks, I''ll consider that. You know, it looks like we may add a security-oriented ready-to-use built-in optional feature with very little change. -f On Monday, October 1, 2012 3:24:14 PM UTC+2, Piotr Sarnacki wrote:> > I would say that this should be implemented as a plugin. As you mentioned, > this is something very rare and it seems that it''s easy to implement it in > a way that users can just drop it in the Gemfile and set needed options. > > On Mon, Oct 1, 2012 at 12:13 AM, Fabrizio Regini <free...@gmail.com<javascript:> > > wrote: > >> Hi everybody, >> I stumbled upon this idea today that redirect logs should be filterable, >> similarily to what happens for parameters. Maybe it''s not a very common >> case, but it may happen that your Rails app performs a redirect to a >> resource which may be worth to keep secure. >> >> The first thing that comes to my mind are S3 HMAC signed resources. Most >> of the times those are printed out in HTML, but it may happen to have those >> resources served by your Rails app via a redirect. >> >> What do you think about it? >> >> I drafted out a possible solution here: >> https://github.com/freegenie/rails/commit/953f393c948e73db7fff34a88520b5c51684cce7 >> >> Should I open an issue and a pull request for this? >> >> Thanks, >> >> -f >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby on Rails: Core" group. >> To view this discussion on the web visit >> https://groups.google.com/d/msg/rubyonrails-core/-/R0rRmaUO6VcJ. >> To post to this group, send email to rubyonra...@googlegroups.com<javascript:> >> . >> To unsubscribe from this group, send email to >> rubyonrails-co...@googlegroups.com <javascript:>. >> For more options, visit this group at >> http://groups.google.com/group/rubyonrails-core?hl=en. >> > > > > -- > Piotr Sarnacki > http://piotrsarnacki.com >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/YyjYhUvFtmkJ. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Looking at the code once again, if I were to think about a plugin, a monkey patch on ActionController::LogSubscriber would be the only way to go. Am I correct? On Monday, October 1, 2012 12:13:53 AM UTC+2, Fabrizio Regini wrote:> > Hi everybody, > I stumbled upon this idea today that redirect logs should be filterable, > similarily to what happens for parameters. Maybe it''s not a very common > case, but it may happen that your Rails app performs a redirect to a > resource which may be worth to keep secure. > > The first thing that comes to my mind are S3 HMAC signed resources. Most > of the times those are printed out in HTML, but it may happen to have those > resources served by your Rails app via a redirect. > > What do you think about it? > > I drafted out a possible solution here: > https://github.com/freegenie/rails/commit/953f393c948e73db7fff34a88520b5c51684cce7 > > Should I open an issue and a pull request for this? > > Thanks, > > -f >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/ECAdf_ue9lcJ. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.