[Catalyst] Supressing passwords in debug messages
J. Shirley
jshirley at gmail.com
Fri Jan 9 22:13:55 GMT 2009
On Fri, Jan 9, 2009 at 1:37 PM, Byron Young <Byron.Young at riverbed.com> wrote:
> Jesse Sheidlower wrote on 2009-01-07:
>> On Wed, Jan 07, 2009 at 10:39:34AM -0800, Byron Young wrote:
>>> I like the CATALYST_DEBUG mode for the test server - it's really
>> nice to be able to see all the GET and POST params and requests as
>> they happen. However, my app uses LDAP authentication and I really
>> don't want people's LDAP passwords getting printed with the rest of
>> the parameters.
>>>
>>> Is there a way to suppress certain parameters from being printed?
>> I didn't see anything in the docs about it, but thought I'd ask
>> before jumping into the code.
>>>
>>
>> This is a FAQ:
>>
>> http://dev.catalystframework.org/wiki/faq
>>
>> "How do I hide certain variables (e.g. user/password) from the
>> debug screen?"
>>
>> Jesse Sheidlower
>>
>
> Jesse,
>
> Thanks for the reply, but that doesn't quite do what I'm asking (or I'm using it wrong?). I mean the debug log that's prints request info when -Debug or CATALYST_DEBUG is turned on. For example:
>
> [debug] Body Parameters are:
> .-------------------------------------+--------------------------------------.
> | Parameter | Value |
> +-------------------------------------+--------------------------------------+
> | password | REDACTED |
> | submit | Go |
> | username | youngb |
> '-------------------------------------+--------------------------------------'
> [debug] "POST" request for "login" from "10.16.5.10"
> [debug] Path is "login"
> [debug] Found sessionid "e4202e839e17004bc05baff653ad659f7b165ee7" in cookie
> [debug] Restored session "e4202e839e17004bc05baff653ad659f7b165ee7"
> [debug] Icebox::Controller::Login - Found username youngb, attempting login
> [debug] Icebox::Controller::Login - LDAP login successful for youngb
> [debug] Icebox::Controller::Login - Database login successful for youngb
> [debug] ***Login::index - redirecting to http://icebox-dev.lab.nbttech.com:3000/
> [debug] Redirecting to "http://icebox-dev.lab.nbttech.com:3000/"
> [info] Request took 1.282297s (0.780/s)
> .----------------------------------------------------------------+-----------.
> | Action | Time |
> +----------------------------------------------------------------+-----------+
> | /auto | 0.000270s |
> | /login/index | 0.078559s |
> | /end | 0.000765s |
> '----------------------------------------------------------------+-----------'
>
>
> It's in that 'Body Parameters' section that I don't want the password to be displayed. It ends up there in plain text if debugging is turned on. Is there a simple way to remove or it or replace the value with '****'?
>
>
> (but thanks for the link to the FAQ - I was only reading the POD. I have been using Catalyst for a while and have never seen a link to the Catalyst Wiki before - Maybe it would be a good idea to add a link to the Manual?)
>
> Thanks,
> Byron
>
I think this is a valid feature request, but I don't think there is a
(simple) way to do it.
The methods in question are Catalyst->prepare_body and
prepare_query_parameters, which just dump all the parameters.
I think something like this would do the trick:
=== lib/Catalyst.pm
==================================================================
--- lib/Catalyst.pm (revision 18145)
+++ lib/Catalyst.pm (local)
@@ -1830,7 +1830,11 @@
if ( $c->debug && keys %{ $c->request->query_parameters } ) {
my $t = Text::SimpleTable->new( [ 35, 'Parameter' ], [ 36, 'Value' ] );
+ my %skip = map { $_ => $_ } @{
+ $c->config->{'Plugin::Debug'}->{'skip_dump_parameters'} || []
+ };
for my $key ( sort keys %{ $c->req->query_parameters } ) {
+ next if $skip{$key};
my $param = $c->req->query_parameters->{$key};
my $value = defined($param) ? $param : '';
$t->row( $key,
Then configure it via:
__PACKAGE__->config(
'Plugin::Debug' => {
skip_dump_parameters => [ qw/password/ /
}
);
Core devs around who want to look?
More information about the Catalyst
mailing list