yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1516765] Re: xenapi: volume_utils._parse_volume_info can leak connection password via StorageError

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Matt Riedemann <mriedem@xxxxxxxxxx>
Date: Tue, 24 Nov 2015 16:20:18 -0000
Reply-to: Bug 1516765 <1516765@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

@Tristan, per comment 4, yeah it can fail on attach and be logged here
at ERROR level:

https://github.com/openstack/nova/blob/12.0.0/nova/virt/block_device.py#L259

** Changed in: nova/juno
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1516765

Title:
  xenapi: volume_utils._parse_volume_info can leak connection password
  via StorageError

Status in OpenStack Compute (nova):
  Fix Committed
Status in OpenStack Compute (nova) juno series:
  Won't Fix
Status in OpenStack Compute (nova) kilo series:
  In Progress
Status in OpenStack Compute (nova) liberty series:
  Fix Committed
Status in OpenStack Compute (nova) mitaka series:
  Fix Committed
Status in OpenStack Security Advisory:
  Confirmed

Bug description:
  This code dumps the connection_info dict into the StorageError
  message:

  https://github.com/openstack/nova/blob/12.0.0/nova/virt/xenapi/volume_utils.py#L85-L87

  As can be seen a few lines later, auth_password can be in that dict:

  https://github.com/openstack/nova/blob/12.0.0/nova/virt/xenapi/volume_utils.py#L96

  So the password would be leaked into the error message that's raised
  up.  This could eventually get back to the logs or a user if not
  handled properly.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1516765/+subscriptions

References

[Bug 1516765] [NEW] xenapi: volume_utils._parse_volume_info can leak connection password via StorageError
From: Matt Riedemann, 2015-11-16