[Catalyst] Supressing passwords in debug messages

Byron Young Byron.Young at riverbed.com
Fri Jan 9 21:37:08 GMT 2009 

Jesse Sheidlower wrote on 2009-01-07:
> On Wed, Jan 07, 2009 at 10:39:34AM -0800, Byron Young wrote:
>> I like the CATALYST_DEBUG mode for the test server - it's really
> nice to be able to see all the GET and POST params and requests as
> they happen.  However, my app uses LDAP authentication and I really
> don't want people's LDAP passwords getting printed with the rest of
> the parameters.
>>
>> Is there a way to suppress certain parameters from being printed?
> I didn't see anything in the docs about it, but thought I'd ask
> before jumping into the code.
>>
>
> This is a FAQ:
>
> http://dev.catalystframework.org/wiki/faq
>
> "How do I hide certain variables (e.g. user/password) from the
> debug screen?"
>
> Jesse Sheidlower
>

Jesse,

Thanks for the reply, but that doesn't quite do what I'm asking (or I'm using it wrong?).  I mean the debug log that's prints request info when -Debug or CATALYST_DEBUG is turned on.  For example:

[debug] Body Parameters are:
.-------------------------------------+--------------------------------------.
| Parameter                           | Value                                |
+-------------------------------------+--------------------------------------+
| password                            | REDACTED                             |
| submit                              | Go                                   |
| username                            | youngb                               |
'-------------------------------------+--------------------------------------'
[debug] "POST" request for "login" from "10.16.5.10"
[debug] Path is "login"
[debug] Found sessionid "e4202e839e17004bc05baff653ad659f7b165ee7" in cookie
[debug] Restored session "e4202e839e17004bc05baff653ad659f7b165ee7"
[debug] Icebox::Controller::Login - Found username youngb, attempting login
[debug] Icebox::Controller::Login - LDAP login successful for youngb
[debug] Icebox::Controller::Login - Database login successful for youngb
[debug] ***Login::index - redirecting to http://icebox-dev.lab.nbttech.com:3000/
[debug] Redirecting to "http://icebox-dev.lab.nbttech.com:3000/"
[info] Request took 1.282297s (0.780/s)
.----------------------------------------------------------------+-----------.
| Action                                                         | Time      |
+----------------------------------------------------------------+-----------+
| /auto                                                          | 0.000270s |
| /login/index                                                   | 0.078559s |
| /end                                                           | 0.000765s |
'----------------------------------------------------------------+-----------'


It's in that 'Body Parameters' section that I don't want the password to be displayed.  It ends up there in plain text if debugging is turned on.  Is there a simple way to remove or it or replace the value with '****'?


 (but thanks for the link to the FAQ - I was only reading the POD.  I have been using Catalyst for a while and have never seen a link to the Catalyst Wiki before - Maybe it would be a good idea to add a link to the Manual?)

Thanks,
Byron

More information about the Catalyst mailing list