security fix - don't show passwords in logs

Gemfile

@@ -27,6 +27,7 @@ gem "merb-slices", merb_gems_version
 gem "merb-auth-core", merb_gems_version
 gem "merb-auth-more", merb_gems_version
 gem "merb-auth-slice-password", merb_gems_version
+gem "merb-param-protection", merb_gems_version
 
 git "git://github.com/schwabsauce/merb_dm_xss_terminate.git" do
   gem "merb_dm_xss_terminate"

app/controllers/application.rb

@@ -10,6 +10,20 @@ def current_user
 
   private
 
+  # overriding param protection code from merb-param-protection, because it's stupid and can't handle nested params
+  def self._filter_params(params)
+    return params if self.log_params_args.nil?
+    result = { }
+    params.each do |k,v|
+      if v.is_a?(Hash)
+        result[k] = self._filter_params(v)
+      else
+        result[k] = (self.log_params_args.include?(k.to_sym) ? '[FILTERED]' : v)
+      end
+    end
+    result
+  end
+
   def self.protect_fields_for(record, fields = {})
     if fields[:in]
       before(nil, :only => fields[:in]) do |c|

app/controllers/exceptions.rb

@@ -1,4 +1,6 @@
 class Exceptions < Merb::Controller
+
+  log_params_filtered :password
 
   # handle NotFound exceptions (404)
   def not_found

app/controllers/users.rb

@@ -11,6 +11,8 @@ class Users < Application
     :always => [:activities_count],
     :admin => [:role_id, :client_id, :login, :active, :admin, :type, :class_name]
 
+  log_params_filtered :password, :password_confirmation
+
   def index
     @user = if params[:client_id]
               ClientUser.new :client => Client.get(params[:client_id])

slices/merb-auth-slice-password/app/controllers/sessions.rb

@@ -1,4 +1,7 @@
 class MerbAuthSlicePassword::Sessions < MerbAuthSlicePassword::Application
+
+  log_params_filtered :password
+
   private   
   def redirect_after_logout
     message[:notice] = "Logged Out"