Project

General

Profile

Bug #18788

Let Rails to log forbidden attributes

Added by Lukas Zapletal over 5 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Category:
Rails
Target version:
Difficulty:
Triaged:
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

By default Rails 4.x does not show forbidden attributes in production in log or in the exception itself:

http://api.rubyonrails.org/classes/ActionController/Parameters.html

I see no reason not to log it, possible attacker needs access to logs in order to find which attribute was denied.

This makes debugging much harder.

Associated revisions

Revision 3582015c (diff)
Added by Lukas Zapletal over 5 years ago

Fixes #18788 - log protected attributes in prod

History

#1 Updated by The Foreman Bot over 5 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Lukas Zapletal
  • Pull request https://github.com/theforeman/foreman/pull/4356 added

#2 Updated by Marek Hulán over 5 years ago

  • Legacy Backlogs Release (now unused) set to 209

#3 Updated by Lukas Zapletal over 5 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF