Re: httpapi_debug

[Scott Klement <sk@xxxxxxxxxxxxxxxx>]

Hi Kenrick,

The httpapi_debug file was intended as an aid to assist programmers with 
debugging.  As such, I never expected people to have it turned on in 
production programs.   What makes this file useful is that it lets me 
see the raw data (along with various diagnostic messages I stuck in 
there to test different things) that's shown when HTTPAPI is running -- 
this is very useful when there are problems, but hopefully should not be 
needed when the program is running in production?

So, I'm not sure it's necessary to mask the data in the file?  If the 
file is only on when debugging, developers should be able to delete the 
data immediately, and therefore sensitive data should be a non-issue.  
If you were to send a debug file to this list (for example) for 
analysis, it's pretty easy to edit it with a program like Notepad and 
just scrub out the sensitive data, since this happens only rarely.

Having said that, HTTPAPI provides a feature where you can write your 
own logging routine to replace the one in HTTPAPI.  You can do this, for 
example:

        http_xproc( HTTP_POINT_DEBUG: %paddr(MyProc));

Where 'MyProc' is a subprocedure with the following prototype (you can 
change the name to whatever you want, though):

  D MyProc          PR
  D   DataToLog                     *   value
  D   Length                      10I 0 value

When you define this exit procedure ("xproc") HTTPAPI will call this 
procedure instead of writing the data out to a file.  You can, 
therefore, put code into this procedure that finds any sensitive data 
and removes it, or puts XXXXX over it, or whatever.

Since the format of the data that's sent/received by HTTPAPI can be 
absolutely _anything_, it's up to you to figure out a way to find your 
sensitive data in the series of bytes that is logged, and figure out how 
to replace it.  There's no standard way, since everyone's data is in a 
completely different format.

So -- again, I would strongly consider turning these off in production, 
this is much easier than trying to somehow scrub the sensitive data 
automatically.

-SK

On 2/23/2015 10:25 PM, Kenrick Chan wrote:
>     Is there a way (parm associated with httpapi_debug) to mask sensitive
>     data (e.g. credit card number) while httpapi_debug is writing to the
>     log?
>     If not, what is the more effective way to read the resulting IFS file
>     and overwrite part of the content?

-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------