[Catalyst-dev] log filtering
Bruce Keeler
bruce at drangle.com
Fri Sep 5 02:24:17 BST 2008
Wade.Stuart at fallon.com wrote:
>
> I do not like this, yuk. If this is considered a good idea and moves
> forward please consider doing this only in Debug mode. If these are
> getting generated any time besides Debug time (dumping raw params), then
> the modules dropping the log lines should be sanitized. The auth modules
> as far as I can tell do not dump the user/pass to log. Please don't make
> assumptions about my log lines.
>
Relax. No-one is suggesting doing anything while not in Debug mode.
I'm only suggesting sanitizing the output of the existing code which
dumps all keys/values in the query parameters.
> For instance we have at least two apps here that dump user:password pair
> logs on failure to log in. These passwords are md5'ed for the log entry so
> as we can tell if the user is trying different passwords, or the same
> password over and over without compromising password secrecy.
>
I cannot imagine why you believe this code would be affected.
Bruce
More information about the Catalyst-dev
mailing list