Plain text passwords displayed in production.log


#1

By default, all the paramaters are displayed in the production.log on a
POST.

Unfortunately, this includes all the plain-text passwords that people
type
into the login form on my application, which is a huge security risk.
I’m
using a custom evaluation system that hooks into LDAP (not any of the
generators/plugins).

View code is simple:
<%= text_field ‘employee’, ‘login’, :size => 20 %>

<%= password_field ‘employee’, ‘password’, :size => 20 %>

Any ideas on how to stop the passwords from being logged when the login
page
is submitted?

Thanks,

Ken


#2

Yes… read the docs on the logger… in production/environment.rb you
can
set the output level of your logger. I don’t remember it offhand though.


#3

On 2/24/06, Ken P. removed_email_address@domain.invalid wrote:

Any ideas on how to stop the passwords from being logged when the login page
is submitted?

Try the Filter Logged Parameters plugin:
http://wiki.rubyonrails.org/rails/pages/Filter+Logged+Params+Plugin


#4

In your environment.rb inside the config block you need to uncomment
and set your log level like this:

config.log_level = :warn

Cheers-
-Ezra

On Feb 24, 2006, at 11:34 AM, Brian H. wrote:

risk. I’m
is submitted?


Rails mailing list
removed_email_address@domain.invalid
http://lists.rubyonrails.org/mailman/listinfo/rails

-Ezra Z.
Yakima Herald-Republic
WebMaster
http://yakimaherald.com
509-577-7732
removed_email_address@domain.invalid


#5

Thanks Ezra. Although I’d still like the transaction log, that will do
until I
have time to test out the Plugin that Jeremy suggested.

-Ken


#6

How about, in your controller:

def login
RAILS_DEFAULT_LOGGER.info “Attempting to authenticate user
‘#{params[:login]}’”
RAILS_DEFAULT_LOGGER.silence do
# however you’re doing the authentication…, e.g.
user = User.authenticate_somehow(params[:login],
params[:cleartext_password_or_whatever])
end
RAILS_DEFAULT_LOGGER.info “Login failed!” if user.nil?
# … and then whatever else you need to do.
end

For extra credit, you can even make the silencing ONLY happen when
RAILS_ENV == ‘production’.

  • james

On 2/24/06, Ken P. removed_email_address@domain.invalid wrote:

Thanks Ezra. Although I’d still like the transaction log, that will do until I
have time to test out the Plugin that Jeremy suggested.

-Ken


Rails mailing list
removed_email_address@domain.invalid
http://lists.rubyonrails.org/mailman/listinfo/rails

  • J *
    ~