Keeping passwords and other sensitive data out of the logs

Even is production mode Rails logs all requests params in the log files.
The problem is this often includes things like user passwords, credit
card numbers and other data. It even displays them when the values are
POSTed. If my server is hacked it would be easy to pick this data out
of the logs by a regex or two.

Is is possible to prevent logging certain params? This seems like it
could be a troublesome security hole.

Any tips?

On Aug 15, 2006, at 3:52 PM, Alex W. wrote:

Any tips?


Posted via http://www.ruby-forum.com/.


Rails mailing list
[email protected]
http://lists.rubyonrails.org/mailman/listinfo/rails

In edge rails there is a filter_log_params functionality that will
filter certain things that you specify out of the log file. If you
are not on edge I think there is a plugin somewhere called
filtered_log_params that you can use.

-Ezra

Ezra Z. wrote:

In edge rails there is a filter_log_params functionality that will
filter certain things that you specify out of the log file. If you
are not on edge I think there is a plugin somewhere called
filtered_log_params that you can use.

-Ezra

Ah thanks, I’m on edge so I’ll see if that works.

Alex W. wrote:

Ezra Z. wrote:

In edge rails there is a filter_log_params functionality that will
filter certain things that you specify out of the log file. If you
are not on edge I think there is a plugin somewhere called
filtered_log_params that you can use.

-Ezra

Ah thanks, I’m on edge so I’ll see if that works.

I cant seem to find any reference to that on the edge docs or in the
edge source. And the plugin svn seems to be down

svn://suven.no-ip.org/rails/plugins/filter_logged_params

How do I use the edge implementation?

Guest wrote:

Alex W. wrote:

Ezra Z. wrote:

In edge rails there is a filter_log_params functionality that will
filter certain things that you specify out of the log file. If you
are not on edge I think there is a plugin somewhere called
filtered_log_params that you can use.

-Ezra

Ah thanks, I’m on edge so I’ll see if that works.

I cant seem to find any reference to that on the edge docs or in the
edge source. And the plugin svn seems to be down

svn://suven.no-ip.org/rails/plugins/filter_logged_params

How do I use the edge implementation?

Nevermind…

It’s filter_paramerter_logging
http://api.rubyonrails.com/classes/ActionController/Base.html#M000201

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs