Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#5273 closed defect (invalid)

SECRET_KEY_BASE listed in error message

Reported by: aseerel4c26 Owned by: rails-dev@…
Priority: trivial Milestone:
Component: website Version:
Keywords: Cc:

Description

a variable SECRET_KEY_BASE is listed in the section "Environment variables" of a ...

"Web application could not be started No server available (Dalli::RingError?)"

... error message of the osm website which I just saw (not any more). Value is something like eJ+wiOKsadkdsasAasd+fsfjKLalwe+sd...

https://github.com/rails-api/rails-api/blob/dd6b71bd6e6e241529f541dc92b2076e9d238b28/lib/rails-api/templates/rails/app/config/initializers/secret_token.rb.tt says "Make sure your secret_key_base is kept private if you're sharing your code publicly."

While I do not know if this is raelly a problem for OSM, I rather mention it ... It *looks* not that nice to expose a variable which is named "secret" to users.

Change History (2)

comment:1 Changed 4 years ago by pnorman

Keywords: security removed
Priority: criticaltrivial
Resolution: invalid
Status: newclosed

Not a security issue - we don't use it. See https://github.com/openstreetmap/openstreetmap-website/pull/432 for more information

comment:2 Changed 4 years ago by aseerel4c26

Okay, fine, thank you! :-)

Would it be (easily) possible to set this variable to 000000_not_used_000000 then? That way it would not look that suspicious (to other people seeing such errors in the future).

Note: See TracTickets for help on using tickets.