Menu
There is a very useful method in Net::HTTP library that gives ability to debug HTTP requests.
Here is what documentation says about that:
set_debug_output(output)WARNING This method causes serious security hole. Never use this method in production code.
Set an output stream for debugging.
http://ruby-doc.org/stdlib/libdoc/net/http/rdoc/classes/Net/HTTP.html#M001371
What security hole is mentioned here?
606
Looking at the code, there is no other security hole, except for the fact that everything in the HTTP protocol is passed to the stream you provide. If you don't take care and the output is put somewhere you don't suspect it, this could expose the internal workings of you application.
IMHO, the statement in the documentation is pretty hard and doesn't provide a good explanation regarding the security hole. I think the comment should read something along the lines of:
Be careful and sit on your hands before you type, since setting a debug_output will expose the complete HTTP protocol (including possible sensitive information) to the stream that is passed in.
Long story short: there is no "hidden" security hole.
51
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
