Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Ticket #8432 (closed defect: fixed)

Opened 1 year ago

Last modified 11 months ago

[PATCH] param filtering for ExceptionNotification plugin

Reported by: toolmantim Assigned to: minam
Priority: normal Milestone: 2.x
Component: Plugins Version: edge
Severity: major Keywords: exception notification
Cc:

Description

The exception notification plugin doesn't respect filtered parameters and, as a result, emails can be sent out that contain some interesting data (*cough* credit card numbers *cough*).

Attached is a patch (with tests) that uses the controller's param filtering to make sure emails don't contain any surprises.

Attachments

exception_notification_with_param_logging.diff (5.0 kB) - added by toolmantim on 05/22/07 15:36:27.
exception_notification_with_param_logging.2.diff (5.0 kB) - added by toolmantim on 05/22/07 15:37:56.
exception_notifier_helper.patch (0.6 kB) - added by igotimac on 08/29/07 16:09:29.
patch to filter on the environment as well

Change History

05/22/07 15:36:27 changed by toolmantim

  • attachment exception_notification_with_param_logging.diff added.

05/22/07 15:37:56 changed by toolmantim

  • attachment exception_notification_with_param_logging.2.diff added.

05/22/07 15:39:06 changed by toolmantim

The second patch is the one you want. It removes a redundant line.

05/22/07 23:03:24 changed by bitsweat

  • keywords changed from patch plugins to exception notification.
  • owner changed from core to minam.

Looks good.

06/21/07 08:11:03 changed by toolmantim

now that you're back from holidays Jamis I thought I'd give this a gentle bump. 'twas posted to the rails-core list when you were away.

06/27/07 02:52:49 changed by minam

  • status changed from new to closed.
  • resolution set to fixed.

(In [7132]) param filtering for exception notification (closes #8432, thanks for the excellent patch!)

08/29/07 16:08:47 changed by igotimac

  • status changed from closed to reopened.
  • resolution deleted.

This fix fails to filter out sensitive data that might be in the "environment"

For example, if I am filtering: http_authorization I shouldn't see

  • HTTP_AUTHORIZATION: Basic dGVzdHVzZXI6dGVzdHBhc3M=

I should see

  • HTTP_AUTHORIZATION: [FILTERED]

in my emails

(see my patch)

08/29/07 16:09:29 changed by igotimac

  • attachment exception_notifier_helper.patch added.

patch to filter on the environment as well

08/29/07 21:33:04 changed by toolmantim

Thanks for picking that up igotimac! Could you add a failing test case to the unit tests as well?

11/23/07 16:43:17 changed by minam

  • status changed from reopened to closed.
  • resolution set to fixed.

(In [8193]) filter environment keys through the controller's parameter filtering settings (closes #8432)