[Rails] Re: Possible Rails Security Issue?
Kent Sibilev
ksruby at gmail.com
Tue Feb 7 20:35:57 GMT 2006
By setting log level to WARN you loose important log information which
could be used for the statistics analyze. I have a small plugin which
allows to disable parameters logging for specific actions. Used it
like
class MyController < ApplicationController
include LogSafe
log_safe_action :pay
def pay
...
end
end
Below is the plugin itself.
file init.rb:
require 'log_safe'
file lib/log_safe.rb:
module LogSafe
def self.included(controller)
controller.extend(ClassMethods)
end
module ClassMethods
def log_safe_action(*names)
write_inheritable_attribute(:log_safe_actions, names.map { |n| n.to_s })
end
def log_safe_actions
write_inheritable_attribute(:log_safe_actions, []) unless
read_inheritable_attribute(:log_safe_actions)
read_inheritable_attribute(:log_safe_actions)
end
end
def log_processing
logger.info "\n\nProcessing
#{controller_class_name}\##{action_name} (for #{request_origin})
[#{request.method.to_s.upcase}]"
logger.info " Session ID: #{@session.session_id}" if @session and
@session.respond_to?(:session_id)
logger.info " Parameters: #{@params.inspect}" unless
self.class.log_safe_actions.include?(action_name)
end
end
Kent.
On 2/7/06, Lon Baker <lon at speedymac.com> wrote:
> When running in production, I set the logger level to warn, in the
> environment.rb
>
> RAILS_DEFAULT_LOGGER.level = Logger::WARN
>
> This prevents the post information, you are concerned about, from
> being recorded in the logs.
>
> --
> Lon Baker
> http://www.speedymac.com
> AIM: spdemac
>
> _______________________________________________
> Rails mailing list
> Rails at lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
More information about the Rails
mailing list