[interchange-bugs] [rt.icdevgroup.org #314] Avoid logging of sensitive information in SagePay payment module
Peter
peter at pajamian.dhs.org
Thu Sep 10 09:45:33 UTC 2009
On 09/10/2009 02:18 AM, Stefan Hornburg via RT wrote:
> Thu Sep 10 09:18:52 2009: Request 314 was acted upon.
> Transaction: Ticket created by racke
> Queue: Interchange
> Subject: Avoid logging of sensitive information in SagePay payment module
> Owner: lynstgeorge
> Requestors: racke at linuxia.de
> Status: new
> Ticket <URL: http://rt.icdevgroup.org/Ticket/Display.html?id=314 >
>
>
> In this loop we are writing sensitive information to the disk:
>
> foreach my $key (sort keys(%query)) {
> ::logDebug("Query to SagePay: \"$key=$query{$key}\""); # nicely readable version of the string sent
> push @query, "$key=$query{$key}";
> }
>
> Please disable the logging or even better weed out / obfuscate the
> sensitive information.
Also \" is ugly. Much nicer version:
qq/Query to SagePay: "$key=$query{$key}"/
Considering that this is just debugging info it can probably just be
commented out like most of the other ::logDebug statements.
Peter
More information about the interchange-bugs
mailing list