Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Catalyst>
  3. Dev
log filtering
goe at space
Sep 4, 2008, 2:49 AM
Post #1 of 3 (2316 views)
Permalink
Hi,

I need to filter the log output of an intranet app, because it
authenticates users against our LDAP server and it is not desired to
have the LDAP passwords of my colleagues in the logs - even if debugging
is on for only a few minutes to track down a problem.

I found this topic was on the list a few years ago:
http://lists.scsys.co.uk/pipermail/catalyst-dev/2006-January/000077.html

The proposed solution was to suppress output with $c->log->abort(1).
Unfortunately this also supresses the username, which makes searching
logs quite painful.

So i started to hack a solution for this problem. First I overode
prepare_body() in MyApp.pm which works fine as long as nobody touches it
in Catalyst.pm. Then I tried to write a plugin, but it's same problem -
I have to touch the plugin everytime the logic of prepare_body() changes.

Finally I encapsulated part of the code which writes the debug
information to the function debug_parameters().
In Catalyst.pm it does what it did before, in MyApp.pm it prints out
whatever I like - especially no passwords.

I attached a patch against Catalyst.pm Version 5.7014.

What do you think of this?

Georg

Attached Files:

Re: log filtering [ In reply to ]
bruce at drangle
Sep 4, 2008, 11:26 AM
Post #2 of 3 (2187 views)
Permalink
I'd go one step further, and have that code just automatically redact
the values of any parameters matching something like /^pass(w(or)?d)?$/i
by default. Logging passwords is just plain bad, there's almost never
any valid reason to do it.

I like to leave debug logging on even for production systems. Disk
space isn't an issue, and it's extremely useful to be able to figure out
exactly what a user was doing when they report a bug.

Georg Oechsler wrote:
> Hi,
>
> I need to filter the log output of an intranet app, because it
> authenticates users against our LDAP server and it is not desired to
> have the LDAP passwords of my colleagues in the logs - even if
> debugging is on for only a few minutes to track down a problem.
>
> I found this topic was on the list a few years ago:
> http://lists.scsys.co.uk/pipermail/catalyst-dev/2006-January/000077.html
>
>
> The proposed solution was to suppress output with $c->log->abort(1).
> Unfortunately this also supresses the username, which makes searching
> logs quite painful.
>
> So i started to hack a solution for this problem. First I overode
> prepare_body() in MyApp.pm which works fine as long as nobody touches
> it in Catalyst.pm. Then I tried to write a plugin, but it's same
> problem - I have to touch the plugin everytime the logic of
> prepare_body() changes.
>
> Finally I encapsulated part of the code which writes the debug
> information to the function debug_parameters().
> In Catalyst.pm it does what it did before, in MyApp.pm it prints out
> whatever I like - especially no passwords.
>
> I attached a patch against Catalyst.pm Version 5.7014.
>
> What do you think of this?
>
> Georg
>
>
>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Catalyst-dev mailing list
> Catalyst-dev@lists.scsys.co.uk
> http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst-dev


_______________________________________________
Catalyst-dev mailing list
Catalyst-dev@lists.scsys.co.uk
http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst-dev
Re: log filtering [ In reply to ]
Wade.Stuart at fallon
Sep 4, 2008, 4:26 PM
Post #3 of 3 (2192 views)
Permalink
Bruce Keeler <bruce@drangle.com> wrote on 09/04/2008 01:26:11 PM:

> I'd go one step further, and have that code just automatically redact
> the values of any parameters matching something like /^pass(w(or)?d)?$/i
> by default. Logging passwords is just plain bad, there's almost never
> any valid reason to do it.
>
> I like to leave debug logging on even for production systems. Disk
> space isn't an issue, and it's extremely useful to be able to figure out
> exactly what a user was doing when they report a bug.

I do not like this, yuk. If this is considered a good idea and moves
forward please consider doing this only in Debug mode. If these are
getting generated any time besides Debug time (dumping raw params), then
the modules dropping the log lines should be sanitized. The auth modules
as far as I can tell do not dump the user/pass to log. Please don't make
assumptions about my log lines.

For instance we have at least two apps here that dump user:password pair
logs on failure to log in. These passwords are md5'ed for the log entry so
as we can tell if the user is trying different passwords, or the same
password over and over without compromising password secrecy.

-Wade


>
> Georg Oechsler wrote:
> > Hi,
> >
> > I need to filter the log output of an intranet app, because it
> > authenticates users against our LDAP server and it is not desired to
> > have the LDAP passwords of my colleagues in the logs - even if
> > debugging is on for only a few minutes to track down a problem.
> >
> > I found this topic was on the list a few years ago:
> >
http://lists.scsys.co.uk/pipermail/catalyst-dev/2006-January/000077.html
> >
> >
> > The proposed solution was to suppress output with $c->log->abort(1).
> > Unfortunately this also supresses the username, which makes searching
> > logs quite painful.
> >
> > So i started to hack a solution for this problem. First I overode
> > prepare_body() in MyApp.pm which works fine as long as nobody touches
> > it in Catalyst.pm. Then I tried to write a plugin, but it's same
> > problem - I have to touch the plugin everytime the logic of
> > prepare_body() changes.
> >
> > Finally I encapsulated part of the code which writes the debug
> > information to the function debug_parameters().
> > In Catalyst.pm it does what it did before, in MyApp.pm it prints out
> > whatever I like - especially no passwords.
> >
> > I attached a patch against Catalyst.pm Version 5.7014.
> >
> > What do you think of this?
> >
> > Georg
> >
> >
> >
> >
> >
> >
> >
> >
------------------------------------------------------------------------
> >
> > _______________________________________________
> > Catalyst-dev mailing list
> > Catalyst-dev@lists.scsys.co.uk
> > http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst-dev
>
>
> _______________________________________________
> Catalyst-dev mailing list
> Catalyst-dev@lists.scsys.co.uk
> http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst-dev


_______________________________________________
Catalyst-dev mailing list
Catalyst-dev@lists.scsys.co.uk
http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst-dev

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal