This project is archived and is in readonly mode.

#5652 ✓wontfix
greg (at araelium)

config.filter_parameters doesn't affect debug(params)

Reported by greg (at araelium) | September 18th, 2010 @ 07:06 AM

Seems to me that <%= debug(params) %> should be modified by config.filter_parameters

It's not unprecedented -- I used a language (Lasso) for many years which this similar ability of config.filter_parameters, and whenever the equivalent of params was displayed, that list was filtered to prevent display of identified values, though it still displayed the names of course.

Comments and changes to this ticket

  • Rohit Arondekar

    Rohit Arondekar September 18th, 2010 @ 07:33 AM

    • Importance changed from “” to “Low”

    I don't think so imho. Debug is for debugging and you don't want to filter any parameters at that time. You shouldn't be developing with the production database any way so you shouldn't be looking at any important params. It's main job is to filter sensitive params from the logs.

    Anybody else have an opinion on this?

  • greg (at araelium)

    greg (at araelium) September 18th, 2010 @ 09:25 AM

    Mmm, I can see where that logic might arise, and I'll attempt a counter thought with "if it's sensitive, it's sensitive" and the framework shouldn't be making any assumptions as to when it is or isn't suitable to be displayed. config.filter_parameters allows me to decide that I don't want certain things to show accidently outside my app code, so the framework should make that as universally applicable as possible. I can use other methods to override that if I need to from removing it, to using environments (I think), to something as barbaric as re-assigning to another var name to output if I really need to see it.

    Anyway, I guess that's my 4¢. Just something to consider.

  • David Trasbo

    David Trasbo September 20th, 2010 @ 12:46 PM

    I totally agree with Rohit.

    There will always be a way to somehow disclose filtered params in development. A silly example:

    class SessionsController < ApplicationController
      def create
        raise params[:password] # oh no, security breach!

    You chose to display what's in params while in the development environment - that's your responsibility. Besides, as Rohit said, of course you're not working with sensitive data in development.

    IMHO, this should just be marked wontfix.

  • Rohit Arondekar

    Rohit Arondekar September 20th, 2010 @ 01:06 PM

    • State changed from “new” to “wontfix”

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>