Forum: Ruby on Rails Unencrypted Password Appears in Log

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
2e1af8b6323bf2c6825c4166b389b3ad?d=identicon&s=25 Mike Rood (imdwalrus)
on 2007-04-13 20:21
(Received via mailing list)
I have a requirement to authenticate my app users through Active
Directory.  My login form captures a user's ID and password and passes
them to a net/ldap routine.  I'm using form_for...|form|  to create
the form and form.password_field to create the password field.  The
password entry is encrypted on the screen but appears unencrypted in
the development log in the params listing.

What can I do to keep the unencrypted password from appearing in the
log?

Thanks,

Mike
2b891e820c238ded365d035771603f21?d=identicon&s=25 Bill Walton (Guest)
on 2007-04-13 20:34
(Received via mailing list)
Hi Mike,

imdwalrus wrote:

> What can I do to keep the unencrypted password from
> appearing in the log?

I have a requirement to filter *all* user input from my logs, so this
isn't
specific to passwords.  This'll get you in the ballpark, though.

Inside application.rb, outside the methods

if %w(production).include?(ENV['RAILS_ENV'])
   filter_parameter_logging { |k,v| v.replace '' unless k ==
'controller' or
k == 'action'}
 end

hth,
Bill
3a0f2ec009ceffdd65f056540a409a23?d=identicon&s=25 Chris Mear (Guest)
on 2007-04-13 21:00
(Received via mailing list)
Use filter_parameter_logging:

http://api.rubyonrails.org/classes/ActionControlle...

You can stick this in your ApplicationController, or do it on a per-
controller basis.

Chris
2e1af8b6323bf2c6825c4166b389b3ad?d=identicon&s=25 Mike Rood (imdwalrus)
on 2007-04-13 23:32
(Received via mailing list)
Thanks, Bill.  I really appreciate your help.
2e1af8b6323bf2c6825c4166b389b3ad?d=identicon&s=25 Mike Rood (imdwalrus)
on 2007-04-14 00:38
(Received via mailing list)
That's perfect, Chris.  Thanks so much for taking the time to help me.

-- Mike
This topic is locked and can not be replied to.