Tick #8432: Exception notification plugin and parameters with sensitive info

Tim_Lucas · May 22, 2007, 3:46pm

As does seem to be the custom these days...

http://dev.rubyonrails.org/ticket/8432

From the ticket page:

The exception notification plugin doesn't respect filtered parameters and, as a result, emails can be sent out that contain some interesting data (*cough* credit card numbers *cough*).

Attached is a patch (with tests) that uses the controller's param filtering to make sure emails don't contain any surprises.

This fixes a potential security problem for anybody using the ExceptionNotification plugin and processing sensitive information.

-- tim

Michael_Koziarski1 · May 24, 2007, 7:05am

This is jamis' baby and he's on holiday till the weekend. Looks good to me though, so he'll no doubt apply when he's back

Tim_Lucas · May 24, 2007, 7:27am

No problemo—I figured he wouldn't be hanging out on the Rails trac during his vacation

-- tim