[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: httpapi_debug



Hi Scott,

Thanks a lot for prompt advice.

I will follow your suggestion.

Best Regards.

Kenrick

--------------------------------------------
On Mon, 2/23/15, Scott Klement <sk@xxxxxxxxxxxxxxxx> wrote:

 Subject: Re: httpapi_debug
 To: "HTTPAPI and FTPAPI Projects" <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
 Date: Monday, February 23, 2015, 9:53 PM
 
 Hi Kenrick,
 
 The httpapi_debug file was
 intended as an aid to assist programmers with 
 debugging.  As such, I never expected people
 to have it turned on in 
 production
 programs.   What makes this file useful is that
 it lets me 
 see the raw data (along with
 various diagnostic messages I stuck in 
 there to test different things) that's
 shown when HTTPAPI is running -- 
 this is
 very useful when there are problems, but hopefully should
 not be 
 needed when the program is running
 in production?
 
 So, I'm
 not sure it's necessary to mask the data in the file? 
 If the 
 file is only on when debugging,
 developers should be able to delete the 
 data immediately, and therefore sensitive data
 should be a non-issue.  
 If you were to
 send a debug file to this list (for example) for 
 analysis, it's pretty easy to edit it with
 a program like Notepad and 
 just scrub out
 the sensitive data, since this happens only rarely.
 
 Having said that, HTTPAPI
 provides a feature where you can write your 
 own logging routine to replace the one in
 HTTPAPI.  You can do this, for 
 example:
 
      
    http_xproc( HTTP_POINT_DEBUG:
 %paddr(MyProc));
 
 Where
 'MyProc' is a subprocedure with the following
 prototype (you can 
 change the name to
 whatever you want, though):
 
    D MyProc          PR
    D   DataToLog     
                *   value
    D   Length       
               10I 0 value
 
 When you define this exit procedure
 ("xproc") HTTPAPI will call this 
 procedure instead of writing the data out to a
 file.  You can, 
 therefore, put code into
 this procedure that finds any sensitive data 
 and removes it, or puts XXXXX over it, or
 whatever.
 
 Since the format
 of the data that's sent/received by HTTPAPI can be 
 absolutely _anything_, it's up to you to
 figure out a way to find your 
 sensitive
 data in the series of bytes that is logged, and figure out
 how 
 to replace it.  There's no
 standard way, since everyone's data is in a 
 completely different format.
 
 So -- again, I would strongly
 consider turning these off in production, 
 this is much easier than trying to somehow
 scrub the sensitive data 
 automatically.
 
 -SK
 
 On
 2/23/2015 10:25 PM, Kenrick Chan wrote:
 >     Is there a way (parm
 associated with httpapi_debug) to mask sensitive
 >     data (e.g. credit card
 number) while httpapi_debug is writing to the
 >     log?
 >     If not, what is the more
 effective way to read the resulting IFS file
 >     and overwrite part of the
 content?
 >
 >
 
 -----------------------------------------------------------------------
 This is the FTPAPI mailing list.  To
 unsubscribe, please go to:
 http://www.scottklement.com/mailman/listinfo/ftpapi
 -----------------------------------------------------------------------
 
-----------------------------------------------------------------------
This is the FTPAPI mailing list.  To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------