[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: httpapi_debug
Hi Scott,
Thanks a lot for prompt advice.
I will follow your suggestion.
Best Regards.
Kenrick
--------------------------------------------
On Mon, 2/23/15, Scott Klement <sk@xxxxxxxxxxxxxxxx> wrote:
Subject: Re: httpapi_debug
To: "HTTPAPI and FTPAPI Projects" <ftpapi@xxxxxxxxxxxxxxxxxxxxxx>
Date: Monday, February 23, 2015, 9:53 PM
Hi Kenrick,
The httpapi_debug file was
intended as an aid to assist programmers with
debugging. As such, I never expected people
to have it turned on in
production
programs. What makes this file useful is that
it lets me
see the raw data (along with
various diagnostic messages I stuck in
there to test different things) that's
shown when HTTPAPI is running --
this is
very useful when there are problems, but hopefully should
not be
needed when the program is running
in production?
So, I'm
not sure it's necessary to mask the data in the file?
If the
file is only on when debugging,
developers should be able to delete the
data immediately, and therefore sensitive data
should be a non-issue.
If you were to
send a debug file to this list (for example) for
analysis, it's pretty easy to edit it with
a program like Notepad and
just scrub out
the sensitive data, since this happens only rarely.
Having said that, HTTPAPI
provides a feature where you can write your
own logging routine to replace the one in
HTTPAPI. You can do this, for
example:
http_xproc( HTTP_POINT_DEBUG:
%paddr(MyProc));
Where
'MyProc' is a subprocedure with the following
prototype (you can
change the name to
whatever you want, though):
D MyProc PR
D DataToLog
* value
D Length
10I 0 value
When you define this exit procedure
("xproc") HTTPAPI will call this
procedure instead of writing the data out to a
file. You can,
therefore, put code into
this procedure that finds any sensitive data
and removes it, or puts XXXXX over it, or
whatever.
Since the format
of the data that's sent/received by HTTPAPI can be
absolutely _anything_, it's up to you to
figure out a way to find your
sensitive
data in the series of bytes that is logged, and figure out
how
to replace it. There's no
standard way, since everyone's data is in a
completely different format.
So -- again, I would strongly
consider turning these off in production,
this is much easier than trying to somehow
scrub the sensitive data
automatically.
-SK
On
2/23/2015 10:25 PM, Kenrick Chan wrote:
> Is there a way (parm
associated with httpapi_debug) to mask sensitive
> data (e.g. credit card
number) while httpapi_debug is writing to the
> log?
> If not, what is the more
effective way to read the resulting IFS file
> and overwrite part of the
content?
>
>
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To
unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------
-----------------------------------------------------------------------
This is the FTPAPI mailing list. To unsubscribe, please go to:
http://www.scottklement.com/mailman/listinfo/ftpapi
-----------------------------------------------------------------------