Forum: Ruby on Rails Plain text passwords displayed in production.log

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Ken P. (Guest)
on 2006-02-24 21:14
(Received via mailing list)
By default, all the paramaters are displayed in the production.log on a
POST.

Unfortunately, this includes all the plain-text passwords that people
type
into the login form on my application, which is a huge security risk.
I'm
using a custom evaluation system that hooks into LDAP (not any of the
generators/plugins).

View code is simple:
<%= text_field 'employee', 'login', :size => 20 %>
...
<%= password_field 'employee', 'password', :size => 20 %>

Any ideas on how to stop the passwords from being logged when the login
page
is submitted?

Thanks,

Ken
Brian H. (Guest)
on 2006-02-24 21:35
(Received via mailing list)
Yes... read the docs on the logger... in production/environment.rb you
can
set the output level of your logger. I don't remember it offhand though.
Jeremy E. (Guest)
on 2006-02-24 23:24
(Received via mailing list)
On 2/24/06, Ken P. <removed_email_address@domain.invalid> wrote:
> Any ideas on how to stop the passwords from being logged when the login page
> is submitted?

Try the Filter Logged Parameters plugin:
http://wiki.rubyonrails.org/rails/pages/Filter+Log...
Ezra Z. (Guest)
on 2006-02-25 00:04
(Received via mailing list)
In your environment.rb inside the config block you need to uncomment
and set your log level like this:

    config.log_level = :warn


Cheers-
-Ezra



On Feb 24, 2006, at 11:34 AM, Brian H. wrote:

> risk. I'm
> is submitted?
> _______________________________________________
> Rails mailing list
> removed_email_address@domain.invalid
> http://lists.rubyonrails.org/mailman/listinfo/rails

-Ezra Z.
Yakima Herald-Republic
WebMaster
http://yakimaherald.com
509-577-7732
removed_email_address@domain.invalid
Ken P. (Guest)
on 2006-02-25 01:04
(Received via mailing list)
Thanks Ezra. Although I'd still like the transaction log, that will do
until I
have time to test out the Plugin that Jeremy suggested.

-Ken
James A. (Guest)
on 2006-02-25 04:27
(Received via mailing list)
How about, in your controller:

  def login
    RAILS_DEFAULT_LOGGER.info "Attempting to authenticate user
'#{params[:login]}'"
    RAILS_DEFAULT_LOGGER.silence do
      # however you're doing the authentication..., e.g.
      user = User.authenticate_somehow(params[:login],
params[:cleartext_password_or_whatever])
    end
    RAILS_DEFAULT_LOGGER.info "Login failed!" if user.nil?
    # ... and then whatever else you need to do.
  end

For extra credit, you can even make the silencing ONLY happen when
RAILS_ENV == 'production'.

- james

On 2/24/06, Ken P. <removed_email_address@domain.invalid> wrote:
> Thanks Ezra. Although I'd still like the transaction log, that will do until I
> have time to test out the Plugin that Jeremy suggested.
>
> -Ken
>
> _______________________________________________
> Rails mailing list
> removed_email_address@domain.invalid
> http://lists.rubyonrails.org/mailman/listinfo/rails
>


--
* J *
  ~
This topic is locked and can not be replied to.