Passing parameters in URL
Diez B. Roggisch
deets at nospam.web.de
Wed Feb 3 18:26:17 EST 2010
Am 03.02.10 23:35, schrieb Paul Rubin:
> "Diez B. Roggisch"<deets at nospam.web.de> writes:
>> If somebody happens to have access to a proxy& it's logs, he can as
>> well log the request body.
>
> I'm not talking about a malicious server operator. In this situation, I
> was the server operator and I didn't want to be recording the
> conversations. I had to go out of my way to stop the recording. SSL
> doesn't help and in fact I was using it, but web server logging happens
> after the SSL layer. I suppose SSL would help against a malicious
> proxy.
Well, we actually implemented POST-parameter logging (inside the
WSGI-app), because we *want* all parameters users pass. They end up in
the application anyway, and aid debugging. Of course we blind sensitive
parameters such as passwords & creditcard numbers.
Of course only information not gathered is really safe information. But
every operation that has side-effects is reproducable anyway, and if
e.g. your chat-app has a history, you can as well log the parameters.
Diez
More information about the Python-list
mailing list