Description
From [email protected] on November 12, 2009 17:02:34
Certain certifications, such as PCI-DSS, mandate that sensitive
information cannot be persisted, including in log files. If a credit card
number or CVV, for example, fails input validation, the getValid method
will log the CC# entered into the logfile, even though it is not displayed
to the user. This is not easily controllable, because the intrusion
detector is handling the logging, we don't have a chance to override the
fact that the input value has been logged. What is the expected output? What do you see instead? The expectation is that either we have a means of overriding the messages
that are getting formed, by making the ValidationExceptions have hooks to
change the content of the message, or alternatively, provide a settable
flag somewhere that indicates the UI message should be used for logs as
well. What version of the product are you using? On what operating system? 2.0rc4, All Please provide any additional information below. the key to address here is that the method of preventing the log should be
accessable by a superclass, but the superclass should not be required to
rewrite all the validation logic as the only think that needs to be
changed is the messages we log.
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=57