[interchange-bugs] [rt.icdevgroup.org #314] Avoid logging of sensitive information in SagePay payment module
Stefan Hornburg via RT
interchange at rt.icdevgroup.org
Thu Sep 10 09:52:46 UTC 2009
<URL: http://rt.icdevgroup.org/Ticket/Display.html?id=314 >
On Thu Sep 10 09:45:41 2009, pajamian wrote:
> On 09/10/2009 02:18 AM, Stefan Hornburg via RT wrote:
> > Thu Sep 10 09:18:52 2009: Request 314 was acted upon.
> > Transaction: Ticket created by racke
> > Queue: Interchange
> > Subject: Avoid logging of sensitive information in SagePay
> payment module
> > Owner: lynstgeorge
> > Requestors: racke at linuxia.de
> > Status: new
> > Ticket <URL: http://rt.icdevgroup.org/Ticket/Display.html?id=314 >
> >
> >
> > In this loop we are writing sensitive information to the disk:
> >
> > foreach my $key (sort keys(%query)) {
> > ::logDebug("Query to SagePay: \"$key=$query{$key}\""); # nicely
> readable version of the string sent
> > push @query, "$key=$query{$key}";
> > }
> >
> > Please disable the logging or even better weed out / obfuscate the
> > sensitive information.
>
>
> Also \" is ugly. Much nicer version:
> qq/Query to SagePay: "$key=$query{$key}"/
>
> Considering that this is just debugging info it can probably just be
> commented out like most of the other ::logDebug statements.
Even then we should set a good example.
Regards
Racke
More information about the interchange-bugs
mailing list