emartech / magento2-extension

Emarsys Magento2 Extension
MIT License
11 stars 9 forks source link

Security issue - Every event data is logged #12

Closed BrocksiNet closed 5 years ago

BrocksiNet commented 5 years ago

This is not good. Pls remove the logging of "event_data".

See here: https://github.com/emartech/magento2-extension/blob/7e8ee1979b70fd26cba3af22098670076c75d873/Helper/BaseEventHandler.php#L136

You can see every customer data in log...

iben12 commented 5 years ago

That’s totally reasonable, thanks for pointing out.

Do you think logging the event type only could be useful for later reference?

BrocksiNet commented 5 years ago

Yes. But maybe you should also add a config where you can activate or deactivate the "info logs" or also "debug logs". Because you will need a lot of space when you have a lot of traffic. And when everything is working you normally do not care about the logs ;-)

iben12 commented 5 years ago

Log has been modified to include the event type only.