[Catalyst-dev] log filtering
Wade.Stuart at fallon.com
Wade.Stuart at fallon.com
Fri Sep 5 02:57:18 BST 2008
Bruce Keeler <bruce at drangle.com> wrote on 09/04/2008 08:24:17 PM:
> Wade.Stuart at fallon.com wrote:
> >
> > I do not like this, yuk. If this is considered a good idea and moves
> > forward please consider doing this only in Debug mode. If these are
> > getting generated any time besides Debug time (dumping raw params),
then
> > the modules dropping the log lines should be sanitized. The auth
modules
> > as far as I can tell do not dump the user/pass to log. Please don't
make
> > assumptions about my log lines.
> >
> Relax. No-one is suggesting doing anything while not in Debug mode.
> I'm only suggesting sanitizing the output of the existing code which
> dumps all keys/values in the query parameters.
I guess the way we work is different enough for me not to understand that
need/perspective. I don't toss production apps into debug mode, I turn up
my debug output. I don't pass live user info on dev in debug mode, I have
test accounts. I can't see a point where I would expose Debug on
production even if sanitized, am I out in fringe land here? If you really
do run your prod with -Debug I hope you have replaced RenderView... ?
dump_info=1
-Wade
> > For instance we have at least two apps here that dump user:password
pair
> > logs on failure to log in. These passwords are md5'ed for the log
entry so
> > as we can tell if the user is trying different passwords, or the same
> > password over and over without compromising password secrecy.
> >
> I cannot imagine why you believe this code would be affected.
More information about the Catalyst-dev
mailing list