Don't print parameter values in logs, in productionmode
Bug #1570221 reported by
Aaron Wells
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
Medium
|
Aaron Wells | ||
15.04 |
Fix Released
|
Medium
|
Aaron Wells | ||
15.10 |
Fix Released
|
Medium
|
Aaron Wells | ||
16.04 |
Fix Released
|
Medium
|
Aaron Wells | ||
16.10 |
Fix Released
|
Medium
|
Aaron Wells |
Bug Description
Following on from Bug 1567186, even scrubbing out parameters that we know to be passwords, is not a fool-proof way to keep passwords and sensitive data out of the logs. Params might be misnamed, or sensitive data might be passed through general-purpose functions.
The only surefire way to prevent secure data from being printed to the logs, is to avoid printing parameter values in stacktraces at all. However, parameter values are useful for debugging, so I think we should show them productionmode=
CVE References
information type: | Private Security → Public Security |
Changed in mahara: | |
milestone: | 16.10.0 → none |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Patch: https:/ /reviews. mahara. org/6336