[OpenStreetMap] #5273: SECRET_KEY_BASE listed in error message

OpenStreetMap trac at noreply.openstreetmap.org
Mon Feb 2 01:35:20 UTC 2015


#5273: SECRET_KEY_BASE listed in error message
-------------------------+-------------------------
 Reporter:  aseerel4c26  |      Owner:  rails-dev@…
     Type:  defect       |     Status:  new
 Priority:  critical     |  Milestone:
Component:  website      |    Version:
 Keywords:  security     |
-------------------------+-------------------------
 a variable SECRET_KEY_BASE is listed in the section "Environment
 variables" of a ...

 "Web application could not be started
 No server available (Dalli::RingError)"

 ... error message of the osm website which I just saw (not any more).
 Value is something like eJ+wiOKsadkdsasAasd+fsfjKLalwe+sd...

 https://github.com/rails-api/rails-
 api/blob/dd6b71bd6e6e241529f541dc92b2076e9d238b28/lib/rails-
 api/templates/rails/app/config/initializers/secret_token.rb.tt says "Make
 sure your secret_key_base is kept private if you're sharing your code
 publicly."

 While I do not know if this is raelly a problem for OSM, I rather mention
 it ... It *looks* not that nice to expose a variable which is named
 "secret" to users.

--
Ticket URL: <https://trac.openstreetmap.org/ticket/5273>
OpenStreetMap <http://www.openstreetmap.org/>
OpenStreetMap is a free editable map of the whole world



More information about the rails-dev mailing list