yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #41768
[Bug 1516765] Re: xenapi: volume_utils._parse_volume_info can leak connection password via StorageError
@Tristan, per comment 4, yeah it can fail on attach and be logged here
at ERROR level:
https://github.com/openstack/nova/blob/12.0.0/nova/virt/block_device.py#L259
** Changed in: nova/juno
Status: New => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1516765
Title:
xenapi: volume_utils._parse_volume_info can leak connection password
via StorageError
Status in OpenStack Compute (nova):
Fix Committed
Status in OpenStack Compute (nova) juno series:
Won't Fix
Status in OpenStack Compute (nova) kilo series:
In Progress
Status in OpenStack Compute (nova) liberty series:
Fix Committed
Status in OpenStack Compute (nova) mitaka series:
Fix Committed
Status in OpenStack Security Advisory:
Confirmed
Bug description:
This code dumps the connection_info dict into the StorageError
message:
https://github.com/openstack/nova/blob/12.0.0/nova/virt/xenapi/volume_utils.py#L85-L87
As can be seen a few lines later, auth_password can be in that dict:
https://github.com/openstack/nova/blob/12.0.0/nova/virt/xenapi/volume_utils.py#L96
So the password would be leaked into the error message that's raised
up. This could eventually get back to the logs or a user if not
handled properly.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1516765/+subscriptions
References