Censor password values in audit logging.

pull/7/head
Ferry Boender 8 years ago
parent 803420289a
commit 25a64b7949
  1. 2
      doc/MANUAL.md
  2. 13
      src/webapp.py

@ -1305,7 +1305,7 @@ There are a few security issues to take into consideration when deploying Script
"Invocations" chapter. "Invocations" chapter.
- Scriptform logs the invocation of scripts and variables to the log file for - Scriptform logs the invocation of scripts and variables to the log file for
auditing purposes. auditing purposes. Password values are censored.
- Although Scriptform is written to be secure, it not meant to be served to - Although Scriptform is written to be secure, it not meant to be served to
the public internet. **You should only use it in controlled environments the public internet. **You should only use it in controlled environments

@ -9,6 +9,7 @@ import tempfile
import os import os
import base64 import base64
import hashlib import hashlib
import copy
from formrender import FormRender from formrender import FormRender
from webserver import HTTPError, RequestHandler from webserver import HTTPError, RequestHandler
@ -158,6 +159,16 @@ HTML_SUBMIT_RESPONSE = u'''
{footer} {footer}
''' '''
def censor_form_values(form_def, form_values):
"""
Remove sensitive field values from form_values dict.
"""
censored_form_values = copy.copy(form_values)
for field in form_def.fields:
if field['type'] == 'password':
censored_form_values[field['name']] = '********'
return censored_form_values
class ScriptFormWebApp(RequestHandler): class ScriptFormWebApp(RequestHandler):
""" """
@ -421,7 +432,7 @@ class ScriptFormWebApp(RequestHandler):
log.info("Calling script: %s", form_def.script) log.info("Calling script: %s", form_def.script)
log.info("Current working dir: %s", cwd) log.info("Current working dir: %s", cwd)
log.info("User: %s", username) log.info("User: %s", username)
log.info("Variables: %s", dict(form_values.items())) log.info("Variables: %s", censor_form_values(form_def, form_values))
form_def = form_config.get_form_def(form_name) form_def = form_config.get_form_def(form_name)
result = runscript.run_script(form_def, form_values, self.wfile, result = runscript.run_script(form_def, form_values, self.wfile,

Loading…
Cancel
Save