Project

General

Profile

Actions
Copy link

Bug #18788

closed

Let Rails to log forbidden attributes

Added by Lukas Zapletal over 7 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Lukas Zapletal
Category:
Rails
Target version:
1.15.0
Difficulty:
Triaged:
Bugzilla link:
Pull request:
https://github.com/theforeman/foreman/pull/4356
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

By default Rails 4.x does not show forbidden attributes in production in log or in the exception itself:

http://api.rubyonrails.org/classes/ActionController/Parameters.html

I see no reason not to log it, possible attacker needs access to logs in order to find which attribute was denied.

This makes debugging much harder.

Actions
Copy link
 #1

Updated by The Foreman Bot over 7 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Lukas Zapletal
  • Pull request https://github.com/theforeman/foreman/pull/4356 added
Actions
Copy link
 #2

Updated by Marek Hulán over 7 years ago

  • Translation missing: en.field_release set to 209
Actions
Copy link
 #3

Updated by Lukas Zapletal over 7 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions
Copy link

Also available in: Atom PDF