← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1427533] Re: keystone logs password in log message

 

** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1427533

Title:
  keystone logs password in log message

Status in OpenStack Identity (Keystone):
  Fix Released
Status in OpenStack Security Advisories:
  Won't Fix

Bug description:
  Current master branch logs request at

  https://github.com/openstack/keystone/blob/master/keystone/common/wsgi.py#L230

  Sample log

  (keystone.common.wsgi): 2015-03-03 05:42:36,072 INFO wsgi __call__ POST /auth/tokens?auth=%7Bu%27scope%27%3A+%7Bu%27project%27%3A+%7Bu%27domain%27%3A+%7Bu%27name%27%3A+u%27Default%27%7D%2C+u%27name%27%3A+u%27admin%27%7D%7D%2C+u%27identity%27%3A+%7Bu%27password%27%3A+%7Bu%27user%27%3A+%7Bu%27domain%27%3A+%7Bu%27id%27%3A+u%27default%27%7D%2C+u%27password%27%3A+u%27admin%27%2C+u%27name%27%3A+u%27admin%27%7D%7D%2C+u%27methods%27%3A+%5Bu%27password%27%5D%7D%7D
  c^[:^C

  If do url decode, you can easily see the user's password

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1427533/+subscriptions