[Catalyst] Re: Supressing passwords in debug messages
J. Shirley
jshirley at gmail.com
Mon Jan 12 19:51:35 GMT 2009
On Mon, Jan 12, 2009 at 10:45 AM, Byron Young <Byron.Young at riverbed.com> wrote:
> Ansgar Burchardt wrote on 2009-01-11:
>> Hi,
>>
>> "J. Shirley" <jshirley at gmail.com> writes:
>>> === lib/Catalyst.pm
>>>
>>> ================================================================== ---
>>> lib/Catalyst.pm (revision 18145) +++ lib/Catalyst.pm (local) @@
>>> -1830,7 +1830,11 @@
>>>
>>> if ( $c->debug && keys %{ $c->request->query_parameters } )
>> {
>>> my $t = Text::SimpleTable->new( [ 35, 'Parameter' ], [
>> 36, 'Value' ] );
>>> + my %skip = map { $_ => $_ } @{
>>> + $c->config->{'Plugin::Debug'}-
>>> {'skip_dump_parameters'} || []
>>> + };
>>> for my $key ( sort keys %{ $c->req->query_parameters } )
>> {
>>> + next if $skip{$key};
>>> my $param = $c->req->query_parameters->{$key};
>>> my $value = defined($param) ? $param : '';
>>> $t->row( $key,
>>
>> I think it would be better to show that the parameter was sent, but
>> Catalyst configured to not display its value. This can be done for
>> example by displaying a value of `(hidden)'.
>>
>> If the parameter is simply skipped, it might be confusing if you forget
>> that you configured Catalyst to not display it.
>>
>> Regards,
>> Ansgar
>>
>
> Yeah, I agree that the parameter should be shown as sent, but just not show the value.
>
> J Shirley - Thanks for looking into it. Let me know if there's anything I can do to help.
>
> Thanks,
> Byron
>
>
The patch I'm creating needs to be configured in some way, I am
thinking at this point it can be configured as follows:
package MyApp;
__PACKAGE__->config(
'Debug' => {
skip_dump_parameters => 1, # Simply don't render the
parameters incoming, very shotgunny
skip_dump_parameters => [ qw/password/ ], # Show '(redacted by
config)' as the value of these fields
}
);
I'll need to bake tests for this, which there are currently no tests
for handling the dumping of parameters so it will be a bit more. If
someone wants to help with that, let me know and I can help guide.
-J
More information about the Catalyst
mailing list