Hi, A question I might have asked already but I still don''t have an answer: How can I prevent all my users'' passwords to end in the log files? Rails logs all params, and that puts all passwords in the logs.... I''d prefer to not stop the logging :-) Is it possible to just not log the params? (Or can I use this method? http://wiki.rubyonrails.com/rails/pages/HowtoSelectivelySuppressLogging ) Thanks raph
Raphael Bauduin <rblists@...> writes:> How can I prevent all my users'' passwords to end in the log files? > Rails logs all params, and that puts all passwords in the logs.... > > I''d prefer to not stop the logging > Is it possible to just not log the params? (Or can I use this method? > http://wiki.rubyonrails.com/rails/pages/HowtoSelectivelySuppressLoggingBy default, in the development environment the logging threshold is set to "debug", which shows almost everything--including user passwords contained in parameter hashes (scarry, isn''t it?). Generally, this isn''t too much of a problem, though--it''s the "development" enviroment, after all, and when you''re doing development you usually DO want to see all that stuff. Fortunately, by default, the logging threshold is set to "info" for the production environment, which does NOT log parameter hashes, so all should be well and secure, for normal usage. If for some reason you want to use a different logging level than these defaults, you just add a line to the appropriate environment file (config/environments/development.rb, for example) that says: config.log_level = :info # or :error, or :warn, or whatever That way you can set the logging level to whatever level shows you enough information for your needs, but not so much as to be insecure. The reference you cite to the "silence" methods for ActiveRecord and ActionController can be useful for temporarily changing the logging level inside a block of code, but it won''t work for blocking parameter hashes from being logged because that takes place before your ActionController object is instantiated, so there''s nothing in your controller that silence can wrap a block around that would make a difference. The silence methods are generally only useful for stopping database field contents from being logged--but if you''re using salted and hashed passwords, that shouldn''t be a big deal, anyway. One last note: there''s an active ticket in the Rails tracking system about a hash that specifically hides passwords from being logged: see http://dev.rubyonrails.org/ticket/1897. --Forrest
On 11/18/05, Raphael Bauduin <rblists-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> How can I prevent all my users'' passwords to end in the log files? > Rails logs all params, and that puts all passwords in the logs.... > > I''d prefer to not stop the logging :-) > Is it possible to just not log the params?See http://dev.rubyonrails.org/ticket/1897. I''ve prepared a plugin that does the same thing as the patch in that ticket, but I haven''t publicly released it yet. I can probably put it up this weekend if people are interested.
Jeremy Evans <jeremyevans0@...> writes:> See http://dev.rubyonrails.org/ticket/1897. I''ve prepared a plugin > that does the same thing as the patch in that ticket, but I haven''t > publicly released it yet. I can probably put it up this weekend if > people are interested.I saw your ticket previously: it''s a clever idea. I''m of two minds on whether or not the problem is bad enough to justify an overall change--afterall, by default the logging threshold is jacked up high enough in production mode that parameters (including passwords)--don''t get logged. There are cases, however, where your change is just what''s needed, and a plug-in would be the perfect solution. I guess that''s a long way of saying, "yes, please, people are interested, release the plug-in!" --Forrest
Forrest Thiessen wrote:> [...] by > default the logging threshold is jacked up high enough in production mode that > parameters (including passwords)--don''t get logged.Is this documented anywhere? I was just looking in the configuration section in the Agile Rails book for info on how to minimise logging in production, and didn''t find anything. Trying running in production mode under WEBrick, just to see how it behaved, I was still getting params and SQL in the production.log. Traditionally one of the arguments in favour of using POST in web applications has been that POSTED data doesn''t appear in the server log. I would like this to be true (or, at least, possible) for Rails applications. regards Justin
Justin Forder <justin@...> writes:> > [...] by > > default the logging threshold is jacked up high enough in production mode > > that parameters (including passwords)--don''t get logged. > > Is this documented anywhere? I was just looking in the configuration > section in the Agile Rails book for info on how to minimise logging in > production, and didn''t find anything. > > Trying running in production mode under WEBrick, just to see how it > behaved, I was still getting params and SQL in the production.log.The only place I''ve seen it documented is in comments in the config/environment.rb file, where it says: # Force all environments to use the same logger level # (by default production uses :info, the others :debug) # config.log_level = :debug I didn''t try running on production (I''m still developing my app ;) ), but I tried inserting config.log_level = :info into environment.rb, and parameter values were no longer written to the log file (and neither was almost anything else). So I can confirm that the mechanism is there and that it works, but I haven''t actually tested the statement in the comments that "by default production uses :info". --Forrest
On Nov 19, 2005, at 9:43 AM, Forrest Thiessen wrote:> Justin Forder <justin@...> writes: > >>> [...] by >>> default the logging threshold is jacked up high enough in >>> production mode >>> that parameters (including passwords)--don''t get logged. >> >> Is this documented anywhere? I was just looking in the configuration >> section in the Agile Rails book for info on how to minimise >> logging in >> production, and didn''t find anything. >> >> Trying running in production mode under WEBrick, just to see how it >> behaved, I was still getting params and SQL in the production.log. > > > The only place I''ve seen it documented is in comments in the > config/environment.rb file, where it says: > # Force all environments to use the same logger level > # (by default production uses :info, the others :debug) > # config.log_level = :debug > > I didn''t try running on production (I''m still developing my > app ;) ), but I > tried inserting > config.log_level = :info > into environment.rb, and parameter values were no longer written to > the log file > (and neither was almost anything else). So I can confirm that the > mechanism is > there and that it works, but I haven''t actually tested the > statement in the > comments that "by default production uses :info". > > --Forrest >Hey- I am using this snippet in environment.rb to set the production log level to FATAL so that only real errors and stack traces go to the production.log. But keep in mind that the app I am using this in is running on rails .13.1. I''m not sure if it is still valid to use in . 14.3: # Configure defaults if the included environment did not. begin RAILS_DEFAULT_LOGGER = Logger.new("#{RAILS_ROOT}/log/# {RAILS_ENV}.log") RAILS_DEFAULT_LOGGER.level = (RAILS_ENV == ''production'' ? Logger::FATAL : Logger::DEBUG) rescue StandardError RAILS_DEFAULT_LOGGER = Logger.new(STDERR) RAILS_DEFAULT_LOGGER.level = Logger::WARN RAILS_DEFAULT_LOGGER.warn( "Rails Error: Unable to access log file. Please ensure that log/# {RAILS_ENV}.log exists and is chmod 0666. " + "The log level has been raised to WARN and the output directed to STDERR until the problem is fixed." ) end HTH- -Ezra Zygmuntowicz WebMaster Yakima Herald-Republic Newspaper ezra-gdxLOakOTQ9oetBuM9ipNAC/G2K4zDHf@public.gmane.org 509-577-7732
+-Le 18/11/2005 15:48 +0100, Raphael Bauduin a dit : | Hi, | | A question I might have asked already but I still don''t have an answer: | | How can I prevent all my users'' passwords to end in the log files? | Rails logs all params, and that puts all passwords in the logs.... You could do something like digest-md5 or cram-md5 with the client side in javascript. I did that some time ago for some company who did not want root to be able to see the passwords travel anywhere :-) -- Mathieu Arnold