It seems that in the default Production environment, Rails logs posted
form data. Isn’t this a security risk? Especially since a user
creation form puts this in the logfile:
Processing Base#index (for 127.0.0.1 at 2005-12-18 21:03:33) [POST]
Parameters: {“user”=>{“password_confirmation”=>“mypassword”,
“username”=>“seanwolfe”, “lastname”=>“Wolfe”, “firstname”=>“Sean”,
“form”=>“edit”, “password”=>“mypassword”,
“email”=>“[email protected]”}, “commit”=>“Signup”}
I’m not totally familiar with all the logging features, but for an
production environment shouldn’t this be off by default?
–
Sean W.
master nerd of
i heart squares, Co.
3711 N. Ravenswood Ave. #147 Chicago, IL 60613
Ph. (773) 531-6301 Fx. (773) 529-7041
http://www.iheartsquares.com
Yes, it’s a security risk, but you can get some protection
by just changing the access level on the logs.
On Unix, it might be this,
chmod 600 *.log
or apply this to the entire log directory.
Also, run your rails app with a special user account that has
minimal privileges.
Make sure code and db schema aren’t world readable–that is
as much of a security threat as open passwords.
If the data you are collecting is sensitive and there is more
than one person who has password access to the logs you should
wrap sensitive db activity with,
ActiveRecord::Base.silence
to have the logger temporarily turned off.
Also in production mode I usually don’t want any of that stuff in
there since my apps are already tested and such. So i set the log
level to fatal and then all you get i the production logs is stack
traces when and exception happens. Also if you leave the logs at the
default level, they will quickly get huge.
Cheers-
-Ezra
On Dec 19, 2005, at 3:25 AM, Lou V. wrote:
than one person who has password access to the logs you should
form data. Isn’t this a security risk? Especially since a user
master nerd of
Rails mailing list
[email protected]
http://lists.rubyonrails.org/mailman/listinfo/rails
-Ezra Z.
Yakima Herald-Republic
WebMaster
http://yakimaherald.com
509-577-7732
[email protected]