Skip to content
This repository has been archived by the owner. It is now read-only.

SECRET_KEY_BASE listed in error message #5271

Closed
openstreetmap-trac opened this issue Jul 23, 2021 · 2 comments
Closed

SECRET_KEY_BASE listed in error message #5271

openstreetmap-trac opened this issue Jul 23, 2021 · 2 comments

Comments

@openstreetmap-trac
Copy link

@openstreetmap-trac openstreetmap-trac commented Jul 23, 2021

Reporter: aseerel4c26
[Submitted to the original trac issue database at 7.56pm, Tuesday, 20th January 2015]

a variable SECRET_KEY_BASE is listed in the section "Environment variables" of a ...

"Web application could not be started
No server available (Dalli::RingError)"

... error message of the osm website which I just saw (not any more). Value is something like eJ+wiOKsadkdsasAasd+fsfjKLalwe+sd...

https://github.com/rails-api/rails-api/blob/dd6b71bd6e6e241529f541dc92b2076e9d238b28/lib/rails-api/templates/rails/app/config/initializers/secret_token.rb.tt says "Make sure your secret_key_base is kept private if you're sharing your code publicly."

While I do not know if this is raelly a problem for OSM, I rather mention it ... It looks not that nice to expose a variable which is named "secret" to users.

@openstreetmap-trac
Copy link
Author

@openstreetmap-trac openstreetmap-trac commented Jul 23, 2021

Author: pnorman
[Added to the original trac issue at 1.50am, Monday, 2nd February 2015]

Not a security issue - we don't use it. See openstreetmap/openstreetmap-website#432 for more information

@openstreetmap-trac
Copy link
Author

@openstreetmap-trac openstreetmap-trac commented Jul 23, 2021

Author: aseerel4c26
[Added to the original trac issue at 2.02am, Monday, 2nd February 2015]

Okay, fine, thank you! :-)

Would it be (easily) possible to set this variable to 000000_not_used_000000 then? That way it would not look that suspicious (to other people seeing such errors in the future).

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant