Passing parameters in URL

Diez B. Roggisch deets at nospam.web.de
Thu Feb 4 00:26:17 CET 2010


Am 03.02.10 23:35, schrieb Paul Rubin:
> "Diez B. Roggisch"<deets at nospam.web.de>  writes:
>> If somebody happens to have access to a proxy&  it's logs, he can as
>> well log the request body.
>
> I'm not talking about a malicious server operator.  In this situation, I
> was the server operator and I didn't want to be recording the
> conversations.  I had to go out of my way to stop the recording.  SSL
> doesn't help and in fact I was using it, but web server logging happens
> after the SSL layer.  I suppose SSL would help against a malicious
> proxy.

Well, we actually implemented POST-parameter logging (inside the 
WSGI-app), because we *want* all parameters users pass. They end up in 
the application anyway, and aid debugging. Of course we blind sensitive 
parameters such as passwords & creditcard numbers.

Of course only information not gathered is really safe information. But 
every operation that has side-effects is reproducable anyway, and if 
e.g. your chat-app has a history, you can as well log the parameters.

Diez



More information about the Python-list mailing list