Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Catalyst>
  3. Dev
log filtering
catalyst at corybennett
Jan 27, 2006, 9:50 AM
Post #1 of 5 (3620 views)
Permalink
Hello! I have recently started using Catalyst and I ran into a problem where
I want to supress part of a log statmement. My site has a login page and so
when somone tries to login I see something like this in the logs:

[Fri Jan 27 02:16:00 2006] [catalyst] [debug] Body Parameters are:
.----------------------------+--------------------------.
| Key | Value |
+----------------------------+--------------------------+
| password | foobar |
| username | joeuser |
'----------------------------+--------------------------'

I am trying to figure out the best way to supress the password from being
logged, but still arrange so my controller has access to the raw password.

In the top-level auto routine, I tried replacing $c->log(My::Logger->new())
where My::Logger was a sub class of Catalyst::Log. But when I did that
somehow magically the Body Parameters are not longer logged at all (ie debug
does not seem to be called after I replace $c->log). I also tried
subclassing Catalyst::Log::Log4perl with similar results. So there is
obviously something I am missing in how this is supposed to work.

The current hack solution I came up with is to replace the Engine with my own.
In my Engine, I subclass Catalyst::Engine::HTTP and just override
prepare_body_parameters. That routine seems to be called between my
controller getting called and the "Body Parameters" getting logged, so my
solution was to just overwrite the data within prepare_body_parameters. So
basically in the routine I do:
alias my $pw = $c->req->{_body}->{param}->{password};
$pw =~ s/./X/g if $pw;

So now I see something like this:
[Fri Jan 27 02:16:00 2006] [catalyst] [debug] Body Parameters are:
.----------------------------+--------------------------.
| Key | Value |
+----------------------------+--------------------------+
| password | XXXXXX |
| username | joeuser |
'----------------------------+--------------------------'

This works but it is just too much voodoo for me now, so I assume there is a
better way? Any advice?

Thanks!
-Cory

_______________________________________________
Catalyst-dev mailing list
Catalyst-dev@lists.rawmode.org
http://lists.rawmode.org/mailman/listinfo/catalyst-dev
Re: log filtering [ In reply to ]
dbix-class at trout
Jan 27, 2006, 10:28 AM
Post #2 of 5 (3472 views)
Permalink
On Fri, Jan 27, 2006 at 09:50:04AM -0800, Cory Bennett wrote:
> Hello! I have recently started using Catalyst and I ran into a problem where
> I want to supress part of a log statmement. My site has a login page and so
> when somone tries to login I see something like this in the logs:
>
> [Fri Jan 27 02:16:00 2006] [catalyst] [debug] Body Parameters are:
> .----------------------------+--------------------------.
> | Key | Value |
> +----------------------------+--------------------------+
> | password | foobar |
> | username | joeuser |
> '----------------------------+--------------------------'
>
> I am trying to figure out the best way to supress the password from being
> logged, but still arrange so my controller has access to the raw password.

Erm, don't run production sites in debug mode?

--
Matt S Trout Offering custom development, consultancy and support
Technical Director contracts for Catalyst, DBIx::Class and BAST. Contact
Shadowcat Systems Ltd. mst (at) shadowcatsystems.co.uk for more information

+ Help us build a better perl ORM: http://dbix-class.shadowcatsystems.co.uk/ +

_______________________________________________
Catalyst-dev mailing list
Catalyst-dev@lists.rawmode.org
http://lists.rawmode.org/mailman/listinfo/catalyst-dev
Re: log filtering [ In reply to ]
andy at hybridized
Jan 27, 2006, 10:36 AM
Post #3 of 5 (3463 views)
Permalink
Cory Bennett wrote:
> Hello! I have recently started using Catalyst and I ran into a problem where
> I want to supress part of a log statmement. My site has a login page and so
> when somone tries to login I see something like this in the logs:
>
> [Fri Jan 27 02:16:00 2006] [catalyst] [debug] Body Parameters are:
> .----------------------------+--------------------------.
> | Key | Value |
> +----------------------------+--------------------------+
> | password | foobar |
> | username | joeuser |
> '----------------------------+--------------------------'
>
> I am trying to figure out the best way to supress the password from being
> logged, but still arrange so my controller has access to the raw password.

You can call $c->log->abort(1) and the logging for that particular request will
be completely ignored. Static::Simple uses this to hide all static file requests.

-Andy

_______________________________________________
Catalyst-dev mailing list
Catalyst-dev@lists.rawmode.org
http://lists.rawmode.org/mailman/listinfo/catalyst-dev
Re: log filtering [ In reply to ]
bruce at drangle
Sep 4, 2008, 6:24 PM
Post #4 of 5 (2652 views)
Permalink
Wade.Stuart@fallon.com wrote:
>
> I do not like this, yuk. If this is considered a good idea and moves
> forward please consider doing this only in Debug mode. If these are
> getting generated any time besides Debug time (dumping raw params), then
> the modules dropping the log lines should be sanitized. The auth modules
> as far as I can tell do not dump the user/pass to log. Please don't make
> assumptions about my log lines.
>
Relax. No-one is suggesting doing anything while not in Debug mode.
I'm only suggesting sanitizing the output of the existing code which
dumps all keys/values in the query parameters.
> For instance we have at least two apps here that dump user:password pair
> logs on failure to log in. These passwords are md5'ed for the log entry so
> as we can tell if the user is trying different passwords, or the same
> password over and over without compromising password secrecy.
>
I cannot imagine why you believe this code would be affected.

Bruce

_______________________________________________
Catalyst-dev mailing list
Catalyst-dev@lists.scsys.co.uk
http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst-dev
Re: log filtering [ In reply to ]
Wade.Stuart at fallon
Sep 4, 2008, 6:57 PM
Post #5 of 5 (2667 views)
Permalink
Bruce Keeler <bruce@drangle.com> wrote on 09/04/2008 08:24:17 PM:

> Wade.Stuart@fallon.com wrote:
> >
> > I do not like this, yuk. If this is considered a good idea and moves
> > forward please consider doing this only in Debug mode. If these are
> > getting generated any time besides Debug time (dumping raw params),
then
> > the modules dropping the log lines should be sanitized. The auth
modules
> > as far as I can tell do not dump the user/pass to log. Please don't
make
> > assumptions about my log lines.
> >
> Relax. No-one is suggesting doing anything while not in Debug mode.
> I'm only suggesting sanitizing the output of the existing code which
> dumps all keys/values in the query parameters.

I guess the way we work is different enough for me not to understand that
need/perspective. I don't toss production apps into debug mode, I turn up
my debug output. I don't pass live user info on dev in debug mode, I have
test accounts. I can't see a point where I would expose Debug on
production even if sanitized, am I out in fringe land here? If you really
do run your prod with -Debug I hope you have replaced RenderView... ?
dump_info=1

-Wade


> > For instance we have at least two apps here that dump user:password
pair
> > logs on failure to log in. These passwords are md5'ed for the log
entry so
> > as we can tell if the user is trying different passwords, or the same
> > password over and over without compromising password secrecy.
> >
> I cannot imagine why you believe this code would be affected.





_______________________________________________
Catalyst-dev mailing list
Catalyst-dev@lists.scsys.co.uk
http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst-dev

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal