Rails - Feb 2009 - Hide password params in log file

Hi,

I just noticed that when users register or login to my website (I use
restful_auth), their password gets printed out in the production.log
file. How can I prevent that? I consider this a major security issue.

SSL is used to prevent eavesdropping and passwords are stored encrypted
in DB by the way, but I never thought about log files.
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

in application.rb, insert: filter_parameter_logging "password"

On Mon, Feb 23, 2009 at 11:38 AM, Fernando Perez <
rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:
>
> Hi,
>
> I just noticed that when users register or login to my website (I use
> restful_auth), their password gets printed out in the production.log
> file. How can I prevent that? I consider this a major security issue.
>
> SSL is used to prevent eavesdropping and passwords are stored encrypted
> in DB by the way, but I never thought about log files.
> --
> Posted via http://www.ruby-forum.com/.
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Fernando,

filter_parameter_logging is your friend.

*
http://robbyonrails.com/articles/2007/07/16/rails-code-audit-tips-filtered-parameter-logging

Cheers,
Robby

On Mon, Feb 23, 2009 at 8:38 AM, Fernando Perez
<rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>
wrote:
>
> Hi,
>
> I just noticed that when users register or login to my website (I use
> restful_auth), their password gets printed out in the production.log
> file. How can I prevent that? I consider this a major security issue.
>
> SSL is used to prevent eavesdropping and passwords are stored encrypted
> in DB by the way, but I never thought about log files.
> --
> Posted via http://www.ruby-forum.com/.
>
> >
>


-- 
Robby Russell
Chief Evangelist, Partner

PLANET ARGON, LLC
design // development // hosting w/Ruby on Rails

http://planetargon.com/
http://robbyonrails.com/
http://twitter.com/planetargon
aim: planetargon

+1 503 445 2457
+1 877 55 ARGON [toll free]
+1 815 642 4068 [fax]

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On Mon, Feb 23, 2009 at 10:38 AM, Fernando Perez <
rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:
>
> Hi,
>
> I just noticed that when users register or login to my website (I use
> restful_auth), their password gets printed out in the production.log
> file. How can I prevent that? I consider this a major security issue.
>
> SSL is used to prevent eavesdropping and passwords are stored encrypted
> in DB by the way, but I never thought about log files.

In you application.rb file use

filter_parameter_logging "password"

HTH

Charles

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On Mon, Feb 23, 2009 at 8:38 AM, Fernando Perez <
rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:
>
> Hi,
>
> I just noticed that when users register or login to my website (I use
> restful_auth), their password gets printed out in the production.log
> file. How can I prevent that? I consider this a major security issue.
>
> SSL is used to prevent eavesdropping and passwords are stored encrypted
> in DB by the way, but I never thought about log files.

Hi, please remember google is your friend:

a)  Google is your friend


http://www.google.com/search?hl=en&rlz=1G1GGLQ_ENUS307&q=filter+logging+of+password+rails&btnG=Search

b)  Api Documents is also a good resource

     http://api.rubyonrails.org

     Note:  If you search for password, you''ll also find a reference
for ''
filter_parameter_logging''

Good luck,

-Conrad

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

> in application.rb, insert: filter_parameter_logging "password"
Thank you all for your replies. This should be included by default (or 
at least commented out?) in restful_auth generator and any other 
authentication plugin.
-- 
Posted via http://www.ruby-forum.com/.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Pretty sure this is in there by default in recent versions of Rails.
(in application controller) (2.3 i believe)

On Mon, Feb 23, 2009 at 9:58 AM, Fernando Perez
<rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>
wrote:
>
>
>> in application.rb, insert: filter_parameter_logging
"password"
>
> Thank you all for your replies. This should be included by default (or
> at least commented out?) in restful_auth generator and any other
> authentication plugin.
> --
> Posted via http://www.ruby-forum.com/.
>
> >
>


-- 
Robby Russell
Chief Evangelist, Partner

PLANET ARGON, LLC
design // development // hosting w/Ruby on Rails

http://planetargon.com/
http://robbyonrails.com/
http://twitter.com/planetargon
aim: planetargon

+1 503 445 2457
+1 877 55 ARGON [toll free]
+1 815 642 4068 [fax]

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---