How to remove “Auth_Password” from ELMAH logs

StackOverflow https://stackoverflow.com/questions/1474235

  •  16-09-2019
  •  | 
  •  

Question

For fairly obvious reasons, I would like to identify the best way to remove the Auth_Password from being captured by ELMAH. What is the best way to go about doing so?

Was it helpful?

Solution

Since ELMAH is open source, I modified the Error.CS file like so. Inside of the Error cunstructor of Error.CS (about line 126), I added this:

_serverVariables.Remove(AUTH_PASSWORD);
//AUTH_PASSWORD = const string = "AUTH_PASSWORD" AND SET ELSEWHERE

OTHER TIPS

I've managed to do this without modifying the ELMAH source: http://www.kipusoep.nl/2012/01/06/umbraco-elmah-with-sql-ce-4-0-and-authentication-part-2/

I just encountered the same thing; solved using the following:

using Elmah;
using ElmahErrorLogModule = Elmah.ErrorLogModule;

namespace XXXX
{
    public class ErrorLogModule : ElmahErrorLogModule
    {
        protected override void OnErrorSignaled(object sender, ErrorSignalEventArgs args)
        {
            // Remove password from the server variables being serialized
            args.Context.Request.ServerVariables.Remove("AUTH_PASSWORD");

            //TODO: remove session id, cookie too?

            base.OnErrorSignaled(sender, args);
        }
    }
}

And updated the ErrorLog module in web.config, configuration/system.webserver/modules to:

<add name="ErrorLog" type="XXXX.ErrorLogModule" preCondition="managedHandler" />

This will solve the problem without a second round trip. Not a problem if the password is subsequently used from the incoming request as the Elmah source shows it takes a copy.

I realize this is a bit late in response to the above, but the problem seems to have been corrected in current Elmah for ASP, and not for Elmah.Mvc nuget package.

I wasn't able to get @Dominic Birch's answer working, because context is readonly. Instead, I derived from the ErrorLog (in my case, MySqlErrorLog) and did it there:

public class FilteringMySqlErrorLog : MySqlErrorLog
{
    static readonly string[] _stripSearch = new[] { "password", "cardnumber", "ccnumber", "cvv" };

    public FilteringMySqlErrorLog(IDictionary config)
        : base(config)
    { }

    public override string Log(Error error)
    {
        error.ServerVariables.Remove("AUTH_PASSWORD");

        foreach (string key in error.Form.AllKeys.ToList())
        {
            if (_stripSearch.Any(x => key.IndexOf(x, StringComparison.InvariantCultureIgnoreCase) != -1))
                error.Form.Remove(key);
        }

        return base.Log(error);
    }
}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top