Forum: Ruby on Rails Hide password params in log file

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
059ed46172a087063ce26250e44c8627?d=identicon&s=25 Fernando Perez (fernando)
on 2009-02-23 17:38
Hi,

I just noticed that when users register or login to my website (I use
restful_auth), their password gets printed out in the production.log
file. How can I prevent that? I consider this a major security issue.

SSL is used to prevent eavesdropping and passwords are stored encrypted
in DB by the way, but I never thought about log files.
09b4d64ca074d04a272a713eb10319eb?d=identicon&s=25 Charles Johnson (Guest)
on 2009-02-23 18:04
(Received via mailing list)
On Mon, Feb 23, 2009 at 10:38 AM, Fernando Perez <
rails-mailing-list@andreas-s.net> wrote:

>
> Hi,
>
> I just noticed that when users register or login to my website (I use
> restful_auth), their password gets printed out in the production.log
> file. How can I prevent that? I consider this a major security issue.
>
> SSL is used to prevent eavesdropping and passwords are stored encrypted
> in DB by the way, but I never thought about log files.


In you application.rb file use

filter_parameter_logging "password"

HTH

Charles
40db9e75b3f5899258e3bdc0c9210154?d=identicon&s=25 Conrad Taylor (conradwt)
on 2009-02-23 18:05
(Received via mailing list)
On Mon, Feb 23, 2009 at 8:38 AM, Fernando Perez <
rails-mailing-list@andreas-s.net> wrote:

>
> Hi,
>
> I just noticed that when users register or login to my website (I use
> restful_auth), their password gets printed out in the production.log
> file. How can I prevent that? I consider this a major security issue.
>
> SSL is used to prevent eavesdropping and passwords are stored encrypted
> in DB by the way, but I never thought about log files.


Hi, please remember google is your friend:

a)  Google is your friend


http://www.google.com/search?hl=en&rlz=1G1GGLQ_ENU...

b)  Api Documents is also a good resource

     http://api.rubyonrails.org

     Note:  If you search for password, you'll also find a reference for
'
filter_parameter_logging'

Good luck,

-Conrad
A82ba1167f4d4a8d1de63820e576a87f?d=identicon&s=25 Robby Russell (Guest)
on 2009-02-23 18:07
(Received via mailing list)
Fernando,

filter_parameter_logging is your friend.

*
http://robbyonrails.com/articles/2007/07/16/rails-...

Cheers,
Robby

On Mon, Feb 23, 2009 at 8:38 AM, Fernando Perez
<rails-mailing-list@andreas-s.net> wrote:
> Posted via http://www.ruby-forum.com/.
>
> >
>



--
Robby Russell
Chief Evangelist, Partner

PLANET ARGON, LLC
design // development // hosting w/Ruby on Rails

http://planetargon.com/
http://robbyonrails.com/
http://twitter.com/planetargon
aim: planetargon

+1 503 445 2457
+1 877 55 ARGON [toll free]
+1 815 642 4068 [fax]
4a06598b186f8bf7d5ab1fd5c4582b2b?d=identicon&s=25 Gregory Mazurek (Guest)
on 2009-02-23 18:15
(Received via mailing list)
in application.rb, insert: filter_parameter_logging "password"

On Mon, Feb 23, 2009 at 11:38 AM, Fernando Perez <
059ed46172a087063ce26250e44c8627?d=identicon&s=25 Fernando Perez (fernando)
on 2009-02-23 18:58
> in application.rb, insert: filter_parameter_logging "password"

Thank you all for your replies. This should be included by default (or
at least commented out?) in restful_auth generator and any other
authentication plugin.
A82ba1167f4d4a8d1de63820e576a87f?d=identicon&s=25 Robby Russell (Guest)
on 2009-02-24 03:54
(Received via mailing list)
Pretty sure this is in there by default in recent versions of Rails.
(in application controller) (2.3 i believe)

On Mon, Feb 23, 2009 at 9:58 AM, Fernando Perez
<rails-mailing-list@andreas-s.net> wrote:
> >
>



--
Robby Russell
Chief Evangelist, Partner

PLANET ARGON, LLC
design // development // hosting w/Ruby on Rails

http://planetargon.com/
http://robbyonrails.com/
http://twitter.com/planetargon
aim: planetargon

+1 503 445 2457
+1 877 55 ARGON [toll free]
+1 815 642 4068 [fax]
This topic is locked and can not be replied to.