search

google-code-export / rubycas-server

Automatically exported from code.google.com/p/rubycas-server
GNU Lesser General Public License v2.1
1 stars 1 forks source link

Username and password visible in case of exceptions #88

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
Dear all,

First of all thanks for the great code!!!

I want to link RubyCAS to Drupal and therefore I am experiencing with the
config.yml file to find the correct settings (which are not yet clear for
me - but that's another issue). As something is not working correct I
receive the exception message on the browser (attached), which is helpful,
but in a production environment this message should not be visible to the
outside world. Even passwords are listed unencrypted!
I discovered that this is because in the the rackup file of rack the
environment is set to "development" and therefore ShowException is set. 

I think it would be good if in the config.yml one would have the
possibility to define the environment either "development" or
"deployment",as these parameters are interpreted by rackup. 

But maybe I am wrong and this setting is already covered somewhere. But
then, please let me know.

Looking forward to hearing from you.
Best regards,
Olaf

-------------------------------------------------------------

What steps will reproduce the problem?
1. An access via Drupal/phpCAS to rubycas-server with a wrong encryption
setting in config.yml (see below)

What version of RubyCAS-Server are you using? How is it installed (rubygem,
manual install)? How are you running it (webrick, mongrel, passenger,
etc.)?
Install via gem
Server: webrick
RubyServer: rubycas-server-0.7.999999.20100202

If relevant, please paste your RubyCAS-Server config.yml file here.
-> is attached (look for user:test and password:hallo)

Original issue reported on code.google.com by olaf.tri...@gmail.com on 15 May 2010 at 3:52

Attachments:

GoogleCodeExporter commented 9 years ago 
No, you're right. The move to rack was fairly recent, and I guess this is 
something 
that no one has figured in just yet.

A config setting for this in config.yml sounds right to me.

Original comment by matt.zuk...@gmail.com on 18 May 2010 at 4:11

GoogleCodeExporter commented 9 years ago

Original comment by matt.zuk...@gmail.com on 8 Jun 2010 at 9:51

GoogleCodeExporter commented 9 years ago 
Need to check whether this is still an issue under Sinatra.

Original comment by matt.zuk...@gmail.com on 21 Dec 2010 at 9:14