← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #18009

[Bug 1321804] Re: Information leakage from the error message for user creation

  Thread PreviousDate PreviousThread Next 
** Changed in: keystone
       Status: Fix Committed => Fix Released

** Changed in: keystone
    Milestone: None => juno-2

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1321804

Title:
  Information leakage from the error message for user creation

Status in OpenStack Identity (Keystone):
  Fix Released
Status in OpenStack Security Advisories:
  Won't Fix

Bug description:
  When the user creation function tries to create a user name that
  already exists, the API returns an error message with status code of
  409. Unfortunately, the error message contains the SQL statement. It
  can provide userful information for the attacker.

  For example, 
  POST /v2.0/users HTTP/1.1
  Host: 23.253.125.245:35357
  Content-Length: 160
  Accept-Encoding: gzip, deflate, compress
  Accept: application/xml
  X-Auth-Token: MIIUxAYJKoZIhvcNAQcCoIIUtTCCFLECAQExDTALBglghkgBZQMEAgEwghMSBgkqhkiG9w0BBwGgghMDBIIS-3siYWNjZXNzIjogeyJ0b2tlbiI6IHsiaXNzdWVkX2F0IjogIjIwMTQtMDUtMjFUMTU6MTE6NDUuODMwMjQ1IiwgImV4cGlyZXMiOiAiMjAxNC0wNS0yMVQxNjoxMTo0NVoiLCAiaWQiOiAicGxhY2Vob2xkZXIiLCAidGVuYW50IjogeyJkZXNjcmlwdGlvbiI6IG51bGwsICJlbmFibGVkIjogdHJ1ZSwgImlkIjogImFiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIiwgIm5hbWUiOiAiYWRtaW4ifX0sICJzZXJ2aWNlQ2F0YWxvZyI6IFt7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc0L3YyL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojg3NzQvdjIvYWJhMTRmZmNmNjM4NDVhZTgzZjY3NmJiM2JiZjY1NzAiLCAiaWQiOiAiOTg2MzcxOTkyMDlhNGYzODliMzcxNGQ1NDM1MWU0ODkiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc0L3YyL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImNvbXB1dGUiLCAibmFtZSI6ICJub3ZhIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojk2OTYvIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojk2OTYvIiwgImlkIjogIjJmMWZkN2ZjMzRkOTRiYmViMmRiMjliMWMwZDU3MWRkIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6OTY5Ni8ifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAibmV0d29yayIsICJuYW1lIjogIm5ldXRyb24ifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6ODc3Ni92Mi9hYmExNGZmY2Y2Mzg0NWFlODNmNjc2YmIzYmJmNjU3MCIsICJyZWdpb24iOiAiUmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc2L3YyL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIiwgImlkIjogIjVjMDMxMmY2OTUxYTRkZjk4MWZiZWE1OWU4MGU1NmFjIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6ODc3Ni92Mi9hYmExNGZmY2Y2Mzg0NWFlODNmNjc2YmIzYmJmNjU3MCJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJ2b2x1bWV2MiIsICJuYW1lIjogImNpbmRlcnYyIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojg3NzQvdjMiLCAicmVnaW9uIjogIlJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6ODc3NC92MyIsICJpZCI6ICI2ZDM1OTM4MWM5NzY0OTA4YjFhZWE3NTA2OGE5OWQ1OSIsICJwdWJsaWNVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojg3NzQvdjMifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiY29tcHV0ZXYzIiwgIm5hbWUiOiAibm92YXYzIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjMzMzMiLCAicmVnaW9uIjogIlJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6MzMzMyIsICJpZCI6ICI5YTYxYTEyYmFiNTk0OWNkYjExMjg3NzM4NWQ0Mzg5MiIsICJwdWJsaWNVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjMzMzMifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiczMiLCAibmFtZSI6ICJzMyJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo5MjkyIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjkyOTIiLCAiaWQiOiAiM2NjZGVhZGEzNzJmNGZlZmFlMzFjOTRkZjExNjhjZjMiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo5MjkyIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImltYWdlIiwgIm5hbWUiOiAiZ2xhbmNlIn0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojg3NzkvdjEuMC9hYmExNGZmY2Y2Mzg0NWFlODNmNjc2YmIzYmJmNjU3MCIsICJyZWdpb24iOiAiUmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc5L3YxLjAvYWJhMTRmZmNmNjM4NDVhZTgzZjY3NmJiM2JiZjY1NzAiLCAiaWQiOiAiYzA5YTNiMTIyZGY3NDg4OGE5OTEyOTg5MDM4NGFkNjYiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc5L3YxLjAvYWJhMTRmZmNmNjM4NDVhZTgzZjY3NmJiM2JiZjY1NzAifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiZGF0YWJhc2UiLCAibmFtZSI6ICJ0cm92ZSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4MDAwL3YxIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjgwMDAvdjEiLCAiaWQiOiAiMTBiYjNmMTYzZjg1NGZhMThmN2I0NWEyZTM2NmY1ZjQiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4MDAwL3YxIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImNsb3VkZm9ybWF0aW9uIiwgIm5hbWUiOiAiaGVhdCJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc2L3YxL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojg3NzYvdjEvYWJhMTRmZmNmNjM4NDVhZTgzZjY3NmJiM2JiZjY1NzAiLCAiaWQiOiAiNzNkNzhhYjE4NmUwNGY5OTk1N2I5NzllMjJiZDY1ODQiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4Nzc2L3YxL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogInZvbHVtZSIsICJuYW1lIjogImNpbmRlciJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4NzczL3NlcnZpY2VzL0FkbWluIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1Ojg3NzMvc2VydmljZXMvQ2xvdWQiLCAiaWQiOiAiM2Y3MDM5MDJhODdjNDk3ZWIyMDhmOGQxODVhMzFhZGUiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4NzczL3NlcnZpY2VzL0Nsb3VkIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImVjMiIsICJuYW1lIjogImVjMiJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4MDA0L3YxL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjgwMDQvdjEvYWJhMTRmZmNmNjM4NDVhZTgzZjY3NmJiM2JiZjY1NzAiLCAiaWQiOiAiNTZiMThhNDZjZGY3NGJiZjhkOWU1MWRmMGM5YTA0Y2MiLCAicHVibGljVVJMIjogImh0dHA6Ly8yMy4yNTMuMTI1LjI0NTo4MDA0L3YxL2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogIm9yY2hlc3RyYXRpb24iLCAibmFtZSI6ICJoZWF0In0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjgwODAiLCAicmVnaW9uIjogIlJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6ODA4MC92MS9BVVRIX2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIiwgImlkIjogIjhlNjEzMDg2NDA1ODQ1ZTg4MDYzOTU0YWUxZTU2OGM3IiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6ODA4MC92MS9BVVRIX2FiYTE0ZmZjZjYzODQ1YWU4M2Y2NzZiYjNiYmY2NTcwIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogIm9iamVjdC1zdG9yZSIsICJuYW1lIjogInN3aWZ0In0sIHsiZW5kcG9pbnRzIjogW3siYWRtaW5VUkwiOiAiaHR0cDovLzIzLjI1My4xMjUuMjQ1OjM1MzU3L3YyLjAiLCAicmVnaW9uIjogIlJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6NTAwMC92Mi4wIiwgImlkIjogIjkyZTM3MjNhNzc5MTRmYTdiNGE5OGNhZGRjMGM1M2Y5IiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMjMuMjUzLjEyNS4yNDU6NTAwMC92Mi4wIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImlkZW50aXR5IiwgIm5hbWUiOiAia2V5c3RvbmUifV0sICJ1c2VyIjogeyJ1c2VybmFtZSI6ICJhZG1pbiIsICJyb2xlc19saW5rcyI6IFtdLCAiaWQiOiAiNWM3YmU3NzgxOTUzNDkwZjhiOTQ2ZjRmYWY3NWM1ZTYiLCAicm9sZXMiOiBbeyJuYW1lIjogIl9tZW1iZXJfIn0sIHsibmFtZSI6ICJoZWF0X3N0YWNrX293bmVyIn0sIHsibmFtZSI6ICJhZG1pbiJ9XSwgIm5hbWUiOiAiYWRtaW4ifSwgIm1ldGFkYXRhIjogeyJpc19hZG1pbiI6IDAsICJyb2xlcyI6IFsiOWZlMmZmOWVlNDM4NGIxODk0YTkwODc4ZDNlOTJiYWIiLCAiNWRiNThlNTQwZDE4NDdiZWI1MmI3Nzk1ZmMyNzRhODIiLCAiMDRhMGRjY2I3YjNmNGYzNzljNjU3MmZmZmQyMTEyZWIiXX19fTGCAYUwggGBAgEBMFwwVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVVuc2V0MQ4wDAYDVQQHDAVVbnNldDEOMAwGA1UECgwFVW5zZXQxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQIBATALBglghkgBZQMEAgEwDQYJKoZIhvcNAQEBBQAEggEAqEiSYQvpwAotmw3VxjVuQfnpS5B3+8TUQATUQRYlHAK22P41kH9MPzDczP8AgQBSyxGwKuRgAhnwdxU9uFXmXN1wPpC2nL1RjDY4ieYEd6hU0ourqdP2+yt2T7rVh76Sj-9pFx7vCoYGl1vl-H63E4xqrTw5uYE+0AjSdef5OElFsdXUnq4jo1yC-xLCqFxS95oCHYd3g9vnIbg715u4WV+GFHap5QWxYgz4JyT-1Fj9hZJu2hO+erKVnBYsyBUpwU2WFR8GYL+Vsg6QeEE-0mrpgqSC7GQ4W7B2Imgr9A3fezDsdZf8WVuDcsMGbpRAkp0qus2H8q4yHu38H1ZdgA==
  User-Agent: python-requests/2.2.1 CPython/2.7.5 Darwin/13.1.0
  Content-Type: application/xml

  <user OS-KSADM:password="password" email="blah@xxxxxxxxxxx"
  enabled="true" name="'" xmlns:OS-
  KSADM="http://docs.openstack.org/identity/api/ext/OS-KSADM/v1.0"; />

  
  Here is the response:
  HTTP/1.1 409 Conflict
  Vary: X-Auth-Token
  Content-Type: application/xml
  Content-Length: 638
  Date: Wed, 21 May 2014 15:16:16 GMT

  <?xml version="1.0" encoding="UTF-8"?>
  <error xmlns="http://docs.openstack.org/identity/api/v2.0"; message="Conflict occurred attempting to store user. (IntegrityError) (1062, &quot;Duplicate entry 'default-'' for key 'domain_id'&quot;) 'INSERT INTO user (id, name, domain_id, password, enabled, extra, default_project_id) VALUES (%s, %s, %s, %s, %s, %s, %s)' ('391b7bb762554558be0b90591a5ff826', &quot;'&quot;, 'default', '$6$rounds=40000$wGwbH/0zGyednfRW$VmBXEtaDcThTLskznCC/KnODYXqvSld.xU4z5/DjOieT4iMl5HIbYO.uRB24hj27bDq6daSQ0YGZjdKHhkNFG/', 1, '{&quot;email&quot;: &quot;blah@xxxxxxxxxxx&quot;}', None)" code="409" title="Conflict"/>

  
  We should use a generic error message for all errors. 

  https://www.owasp.org/index.php/Top_10_2007-Information_Leakage_and_Improper_Error_Handling

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1321804/+subscriptions
  Thread PreviousDate PreviousThread Next