Closed dineshpanda closed 5 years ago
Better Errors is a debugging tool for development. Hiding what looks like sensitive information would make Better Errors less useful as a debugging tool.
To address your specific use case, if you're entering your real LDAP credentials into a form in a development application, you're already leaving yourself open to a few attack vectors. I recommend using a development LDAP server or at least development user accounts, rather than connecting to a production LDAP server and entering your production credentials to develop or test functionality.
This was raised in #234 much earlier and it was closed, however I think this is a real issue that needs attention.
Reason I am working on a project that uses LDAP authentication and if there is any issue in login page [example: ActionController::InvalidAuthenticityToken], better error simply shows my LDAP login password on the error page in front of my fellow colleagues.
I think, password should be masked/filtered just like the way it appears in rails log when Devise is used for authentication and this is taken care in development environment as well.