production_error.log may contain plaintext passwords

(Michael - #1

While researching the previous bug we encountered a nasty password disclosure bug.
I don’t know if this is a standard Rails issue, or a Thin issue, or a Discourse issue, so feel free to close this if inappropriate.

The asterisks in the snippet from production_error.log below have been put there by me. It contained plaintext username/password.

  <date type="datetime">2013-10-13T11:39:08+00:00</date>
  <user-id type="integer">1</user-id>
  <request>{"username"=&gt;"****", "password"=&gt;"*******", "redirect"=&gt;"http://******", "action"=&gt;"enter", "controller"=&gt;"static"}</request>

(Sam Saffron) #2

My bug, fixed in master

(Sam Saffron) #3

This topic was automatically closed after 1 day. New replies are no longer allowed.