I was just reading through security issues for my app as it is good to do from time to time, just to keep on my toes when I spot this:
"By default, Rails logs all requests being made to the web application. ... Encrypting secrets and passwords in the database will be quite useless, if the log files list them in clear text."
I immediately jump to my development.log to check out if my passwords are showing and lo and behold on line ~1000
"Parameters: {"utf8"=>"✓", "authenticity_token"=>"8DznfYV1t1Mb+S/3MzMaZ9Clf/FuO894UkYFoBfu0Ug=", "user"=>{"email"=>"a@a.a", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]", "language"=>"en"}, "commit"=>"Created User"}"
Thank you Rails 3.2 !
Note1:
If your passwords are not hidden, the fix should be something like the following line:
config.filter_parameters << :password
Note2:
It looks like by default Git does not push up log files in Rails, but you should double check all your public Github log directories just in case
No comments:
Post a Comment