It seems that in the default Production environment, Rails logs posted
form data. Isn't this a security risk? Especially since a user
creation form puts this in the logfile:
Processing Base#index (for 127.0.0.1 at 2005-12-18 21:03:33) [POST]
Parameters:
{"user"=>{"password_confirmation"=>"mypassword",
"username"=>"seanwolfe",
"lastname"=>"Wolfe",
"firstname"=>"Sean",
"form"=>"edit",
"password"=>"mypassword",
"email"=>"nobody@nowhere.com"},
"commit"=>"Signup"}
I'm not totally familiar with all the logging features, but for an
production environment shouldn't this be off by default?
--
Sean Wolfe
master nerd of
i heart squares, Co.
3711 N. Ravenswood Ave. #147 Chicago, IL 60613
Ph. (773) 531-6301 Fx. (773) 529-7041
http://www.iheartsquares.com
_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails
Lou Vanek
2005-Dec-19 11:25 UTC
Re: Logging of Form information in production environment.
Yes, it''s a security risk, but you can get some protection by just changing the access level on the logs. On Unix, it might be this, chmod 600 *.log or apply this to the entire log directory. Also, run your rails app with a special user account that has minimal privileges. Make sure code and db schema aren''t world readable--that is as much of a security threat as open passwords. If the data you are collecting is sensitive and there is more than one person who has password access to the logs you should wrap sensitive db activity with, ActiveRecord::Base.silence to have the logger temporarily turned off. Sean Wolfe wrote:> It seems that in the default Production environment, Rails logs posted > form data. Isn''t this a security risk? Especially since a user > creation form puts this in the logfile: > > Processing Base#index (for 127.0.0.1 at 2005-12-18 21:03:33) [POST] > Parameters: {"user"=>{"password_confirmation"=>"mypassword", > "username"=>"seanwolfe", "lastname"=>"Wolfe", "firstname"=>"Sean", > "form"=>"edit", "password"=>"mypassword", > "email"=>"nobody-e83xkrq8dvZBDgjK7y7TUQ@public.gmane.org"}, "commit"=>"Signup"} > > I''m not totally familiar with all the logging features, but for an > production environment shouldn''t this be off by default? > > -- > Sean Wolfe > master nerd of > i heart squares, Co. > > 3711 N. Ravenswood Ave. #147 Chicago, IL 60613 > Ph. (773) 531-6301 Fx. (773) 529-7041 > http://www.iheartsquares.com > > > ------------------------------------------------------------------------ > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails
Ezra Zygmuntowicz
2005-Dec-19 18:34 UTC
Re: Re: Logging of Form information in production environment.
Also in production mode I usually don''t want any of that stuff in there since my apps are already tested and such. So i set the log level to fatal and then all you get i the production logs is stack traces when and exception happens. Also if you leave the logs at the default level, they will quickly get huge. Cheers- -Ezra On Dec 19, 2005, at 3:25 AM, Lou Vanek wrote:> Yes, it''s a security risk, but you can get some protection > by just changing the access level on the logs. > On Unix, it might be this, > chmod 600 *.log > or apply this to the entire log directory. > Also, run your rails app with a special user account that has > minimal privileges. > Make sure code and db schema aren''t world readable--that is > as much of a security threat as open passwords. > If the data you are collecting is sensitive and there is more > than one person who has password access to the logs you should > wrap sensitive db activity with, > ActiveRecord::Base.silence > to have the logger temporarily turned off. > > > > Sean Wolfe wrote: > >> It seems that in the default Production environment, Rails logs >> posted >> form data. Isn''t this a security risk? Especially since a user >> creation form puts this in the logfile: >> Processing Base#index (for 127.0.0.1 at 2005-12-18 21:03:33) [POST] >> Parameters: {"user"=>{"password_confirmation"=>"mypassword", >> "username"=>"seanwolfe", "lastname"=>"Wolfe", "firstname"=>"Sean", >> "form"=>"edit", "password"=>"mypassword", >> "email"=>"nobody-e83xkrq8dvZBDgjK7y7TUQ@public.gmane.org"}, "commit"=>"Signup"} >> I''m not totally familiar with all the logging features, but for an >> production environment shouldn''t this be off by default? >> -- >> Sean Wolfe >> master nerd of >> i heart squares, Co. >> 3711 N. Ravenswood Ave. #147 Chicago, IL 60613 >> Ph. (773) 531-6301 Fx. (773) 529-7041 >> http://www.iheartsquares.com >> --------------------------------------------------------------------- >> --- >> _______________________________________________ >> Rails mailing list >> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org >> http://lists.rubyonrails.org/mailman/listinfo/rails > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-Ezra Zygmuntowicz Yakima Herald-Republic WebMaster http://yakimaherald.com 509-577-7732 ezra-gdxLOakOTQ9oetBuM9ipNAC/G2K4zDHf@public.gmane.org