[interchange-bugs] [rt.icdevgroup.org #314] Avoid logging of sensitive information in SagePay payment module

Stefan Hornburg via RT interchange at rt.icdevgroup.org
Thu Sep 10 09:52:46 UTC 2009


<URL: http://rt.icdevgroup.org/Ticket/Display.html?id=314 >

On Thu Sep 10 09:45:41 2009, pajamian wrote:
> On 09/10/2009 02:18 AM, Stefan Hornburg via RT wrote:
> > Thu Sep 10 09:18:52 2009: Request 314 was acted upon.
> > Transaction: Ticket created by racke
> >        Queue: Interchange
> >      Subject: Avoid logging of sensitive information in SagePay
> payment module
> >        Owner: lynstgeorge
> >   Requestors: racke at linuxia.de
> >       Status: new
> >  Ticket <URL: http://rt.icdevgroup.org/Ticket/Display.html?id=314 >
> >
> >
> > In this loop we are writing sensitive information to the disk:
> >
> > 	foreach my $key (sort keys(%query)) {
> >     	::logDebug("Query to SagePay: \"$key=$query{$key}\""); # nicely
> readable version of the string sent
> >        	push @query, "$key=$query{$key}";
> >     	}
> >
> > Please disable the logging or even better weed out / obfuscate the
> > sensitive information.
> 
> 
> Also \" is ugly.  Much nicer version:
> qq/Query to SagePay: "$key=$query{$key}"/
> 
> Considering that this is just debugging info it can probably just be
> commented out like most of the other ::logDebug statements.

Even then we should set a good example.

Regards
         Racke




More information about the interchange-bugs mailing list