yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1427533] Re: keystone logs password in log message

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Thu, 19 Mar 2015 14:19:13 -0000
Reply-to: Bug 1427533 <1427533@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1427533

Title:
  keystone logs password in log message

Status in OpenStack Identity (Keystone):
  Fix Released
Status in OpenStack Security Advisories:
  Won't Fix

Bug description:
  Current master branch logs request at

  https://github.com/openstack/keystone/blob/master/keystone/common/wsgi.py#L230

  Sample log

  (keystone.common.wsgi): 2015-03-03 05:42:36,072 INFO wsgi __call__ POST /auth/tokens?auth=%7Bu%27scope%27%3A+%7Bu%27project%27%3A+%7Bu%27domain%27%3A+%7Bu%27name%27%3A+u%27Default%27%7D%2C+u%27name%27%3A+u%27admin%27%7D%7D%2C+u%27identity%27%3A+%7Bu%27password%27%3A+%7Bu%27user%27%3A+%7Bu%27domain%27%3A+%7Bu%27id%27%3A+u%27default%27%7D%2C+u%27password%27%3A+u%27admin%27%2C+u%27name%27%3A+u%27admin%27%7D%7D%2C+u%27methods%27%3A+%5Bu%27password%27%5D%7D%7D
  c^[:^C

  If do url decode, you can easily see the user's password

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1427533/+subscriptions