Logging of Form information in production environment


#1

It seems that in the default Production environment, Rails logs posted
form data. Isn’t this a security risk? Especially since a user
creation form puts this in the logfile:

Processing Base#index (for 127.0.0.1 at 2005-12-18 21:03:33) [POST]
Parameters: {“user”=>{“password_confirmation”=>“mypassword”,
“username”=>“seanwolfe”, “lastname”=>“Wolfe”, “firstname”=>“Sean”,
“form”=>“edit”, “password”=>“mypassword”,
“email”=>“removed_email_address@domain.invalid”}, “commit”=>“Signup”}

I’m not totally familiar with all the logging features, but for an
production environment shouldn’t this be off by default?


Sean W.
master nerd of
i heart squares, Co.

3711 N. Ravenswood Ave. #147 Chicago, IL 60613
Ph. (773) 531-6301 Fx. (773) 529-7041
http://www.iheartsquares.com


#2

Yes, it’s a security risk, but you can get some protection
by just changing the access level on the logs.
On Unix, it might be this,
chmod 600 *.log
or apply this to the entire log directory.
Also, run your rails app with a special user account that has
minimal privileges.
Make sure code and db schema aren’t world readable–that is
as much of a security threat as open passwords.
If the data you are collecting is sensitive and there is more
than one person who has password access to the logs you should
wrap sensitive db activity with,
ActiveRecord::Base.silence
to have the logger temporarily turned off.


#3

Also in production mode I usually don’t want any of that stuff in
there since my apps are already tested and such. So i set the log
level to fatal and then all you get i the production logs is stack
traces when and exception happens. Also if you leave the logs at the
default level, they will quickly get huge.

Cheers-
-Ezra

On Dec 19, 2005, at 3:25 AM, Lou V. wrote:

than one person who has password access to the logs you should

form data. Isn’t this a security risk? Especially since a user
master nerd of


Rails mailing list
removed_email_address@domain.invalid
http://lists.rubyonrails.org/mailman/listinfo/rails

-Ezra Z.
Yakima Herald-Republic
WebMaster
http://yakimaherald.com
509-577-7732
removed_email_address@domain.invalid