yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1427533] Re: keystone logs password in log message

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Tristan Cacqueray <tristan.cacqueray@xxxxxxxxxxxx>
Date: Tue, 03 Mar 2015 15:40:04 -0000
Reply-to: Bug 1427533 <1427533@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Thanks Brant for the quick feedback!

I opened the bug since it only concerns master, can you please confirm
the keystone part and tag it for kilo in order to have it fixed before
the release ?

** Information type changed from Private Security to Public Security

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1427533

Title:
  keystone logs password in log message

Status in OpenStack Identity (Keystone):
  New
Status in OpenStack Security Advisories:
  Won't Fix

Bug description:
  Current master branch logs request at

  https://github.com/openstack/keystone/blob/master/keystone/common/wsgi.py#L230

  Sample log

  (keystone.common.wsgi): 2015-03-03 05:42:36,072 INFO wsgi __call__ POST /auth/tokens?auth=%7Bu%27scope%27%3A+%7Bu%27project%27%3A+%7Bu%27domain%27%3A+%7Bu%27name%27%3A+u%27Default%27%7D%2C+u%27name%27%3A+u%27admin%27%7D%7D%2C+u%27identity%27%3A+%7Bu%27password%27%3A+%7Bu%27user%27%3A+%7Bu%27domain%27%3A+%7Bu%27id%27%3A+u%27default%27%7D%2C+u%27password%27%3A+u%27admin%27%2C+u%27name%27%3A+u%27admin%27%7D%7D%2C+u%27methods%27%3A+%5Bu%27password%27%5D%7D%7D
  c^[:^C

  If do url decode, you can easily see the user's password

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1427533/+subscriptions